UNC4466 Exploits Multiple Vulnerabilities to Deliver ALPHV Ransomware

Summary

An emerging ALPHV (a.k.a. BlackCat, Noberus) affiliate, tracked as UNC4466, is exploiting CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in publicly exposed installations of Veritas Backup Exec. These vulnerabilities grant the threat actors initial access to victim environments. A recent internet scan revealed over 8,500 instances of Veritas Backup Exec are currently exposed to the internet. It is unknown if all these installations have been updated with Veritas Backup software version 21.2. Any instances not updated represent a significant threat to an organization.

Attack Details

UNC4466 gained initial access to an organization through the exploitation of three vulnerabilities:

CVE-2021-27876: Arbitrary file access flaw caused by an error in the secure hashing algorithm (SHA) authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (Common Vulnerability Scoring System (CVSS) score: 8.1)

CVE-2021-27877: Remote unauthorized access and privileged command execution to the Backup Exec Agent via SHA authentication. (CVSS score: 9.8)

CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)

After gaining access to the Veritas Backup Exec server, the threat actors used Famatech’s Advanced Internet Protocol (IP) Scanner and ADRecon to gather network, account, and host information. Next, they used Background Intelligent Transfer Service (BITS) to download and execute additional tools, most notably RCLONE and the ALPHV ransomware encryptor. UNC4466 used multiple evasion techniques throughout the duration of the intrusion to mask their activity, starting with utilizing SOCKS5 tunneling communicating to communicate with compromised systems. Additionally, they cleared event logs and disabled Microsoft Defender’s real-time monitoring capability before executing ALPHV ransomware on the network.

ALPHV Ransomware Background

ALPHV ransomware emerged in November 2021 as a ransomware-as-a-service toolkit for threat actors. It was the first mainstream ransomware to be written in Rust computer language and is considered a potent threat. It is assessed that ALPHV ransomware is the successor to BLACKMATTER and DARKSIDE ransomware and uses double extortion. Threat actors utilizing this ransomware have been known to target critical infrastructure, healthcare entities, and other sensitive industries. Historically, intrusions utilizing ALPHV ransomware predominantly originated from stolen credentials suggesting that this shift to exploiting vulnerabilities is due to opportunistic targeting.

Conclusion

All three flaws that impact the Veritas Backup software were disclosed in March 2021, however, many endpoints remain vulnerable as they have not updated to version 21.2. Threat actors will continue to seek out exploitation of companies that have not patched their software. It is recommended that companies:

implement secure access controls
segment networks
enable multi-factor authentication
and regularly test and evaluate backup strategies to limit the impact of a ransomware attack.

Additionally, organizations should inventory externally facing services to reduce the attack surface available to threat actors.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: