WithSecure Intelligence has attributed the attacks on Veeam servers to FIN7, a notorious cybercriminal organization.



The attacker exploited a recently patched vulnerability in Veeam Backup & Replication to carry out two attacks against these servers. Although the reason behind these attacks is still unknown, organizations are advised to patch and secure their backup servers to prevent further incidents.

FIN7, also known as the Carbanak Group, has a history of executing financially driven attacks against various businesses, primarily in the hospitality and retail industries. According to the report, two attacks have been identified that bear the hallmarks of the notorious FIN7 hacking group.

The first signs of activity were detected on March 28, 2023, on servers running Veeam Backup & Replication. On the same day, an SQL server process executed a shell command to copy the "Web.config" file located within Veeam Backup & Replication program files to another file called "system.js".

While the exact reason for this command remains unknown, it is plausible that the earlier activity was performed by the threat actor to probe and identify internet-facing servers vulnerable to CVE-2023-2753, something that FIN7 has reportedly done in the past.

Although the initial activity was initiated from the same public IP address on the same day, the attack is believed to be contained due to the limited scope of servers with the vulnerable TCP port 9401 publicly exposed.

While the study adds more information about FIN7 and their methods, affected businesses are encouraged to take necessary steps to patch and properly set up their backup servers to prevent further attacks.

Vulnerability in Veeam Backup & Replication exploited by FIN7 hackers refers to a security flaw that was discovered in the Veeam Backup & Replication software. FIN7, a notorious hacking group, took advantage of this vulnerability to carry out their malicious activities.

Veeam Backup & Replication is a popular data protection and disaster recovery solution used by organizations worldwide. However, even well-established software can have vulnerabilities that can be exploited by skilled hackers. In this case, FIN7 identified a weakness in the software that allowed them to gain unauthorized access to systems or steal sensitive data.

When exploiting this vulnerability, FIN7 likely used various techniques such as phishing emails, social engineering, or other methods to distribute malware or gain initial access to targeted systems. Once inside, they exploited the specific vulnerability in Veeam Backup & Replication to further infiltrate the network, compromise systems, or exfiltrate data.

To protect against such attacks, it is important for organizations to regularly update their software, including Veeam Backup & Replication, with the latest security patches and fixes. Additionally, implementing robust security measures like multi-factor authentication, network segmentation, and continuous monitoring can help mitigate the risk of exploitation.

It is worth noting that the specifics of this vulnerability and the actions taken by FIN7 may vary depending on the specific incident being referenced. Therefore, for the most accurate and up-to-date information, it is recommended to refer to official reports, vendor advisories, and trusted cybersecurity sources.