A recently patched security flaw in Veeam Backup & Replication software is being exploited by a new ransomware operation called EstateRansomware.
Group-IB, a cybersecurity firm based in Singapore, discovered the threat actor in early April 2024. The attack leverages the vulnerability CVE-2023-27532 (CVSS score: 7.5) to conduct its malicious activities.
Initial access to the target environment was facilitated through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.
“The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server,” security researcher Yeo Zi Wei explained in an analysis published today.
Before the ransomware attack, VPN brute-force attempts were observed in April 2024 using a dormant account identified as ‘Acc1.’ A successful VPN login using ‘Acc1’ was traced back to the remote IP address 149.28.106[.]252.
The attackers then established RDP connections from the firewall to the failover server and deployed a persistent backdoor named “svchost.exe,” which is executed daily through a scheduled task.
Subsequent network access was achieved using the backdoor to avoid detection. The backdoor’s primary function is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands from the attacker.
Group-IB observed the threat actor exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named “VeeamBkp.” They also conducted network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft through the newly created account.
“The exploitation likely involved an attack from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server,” Zi Wei suggested. “This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the ‘VeeamBkp’ account.”
The attack culminated in the deployment of the ransomware, following steps to disable defenses and move laterally from the AD server to other servers and workstations using compromised domain accounts.
“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB stated.
Cisco Talos recently revealed that most ransomware gangs prioritize gaining initial access through security flaws in public-facing applications, phishing attachments, or breaching valid accounts. They also focus on circumventing defenses to increase their dwell time in victim networks.
The double extortion model, which involves exfiltrating data before encrypting files, has led to the development of custom tools (e.g., Exmatter, Exbyte, and StealBit) to send confidential information to attacker-controlled infrastructure.
These e-crime groups often establish long-term access to explore the environment, understand the network’s structure, locate resources to support the attack, elevate their privileges, blend in, and identify valuable data to steal.
“Over the past year, we have witnessed significant changes in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures, and victimology,” Talos noted. “The diversification highlights a shift toward more boutique-targeted cybercriminal activities, with groups such as Hunters International, Cactus, and Akira carving out specific niches and focusing on distinct operational goals and stylistic choices to differentiate themselves.”
 to conduct its malicious activities.){kind=link}