You had a year to patch this Veeam flaw – and now it's going to hurt some more Yet another new ransomware gang, this one dubbed EstateRansomware, is now exploiting a Veeam vulnerability that was patched more than a year ago to deploy file-encrypting malware, a LockBit variant, and extort payments from victims. Veeam fixed the flaw, tracked as CVE-2023-27532, in March 2023 for versions 12/11a and later of …
It sounds like the attackers managed to remote desktop into the server running veeam then exploit it locally? Or was this a remote exploit of Veeam itself?
To me if an intruder is able to RDP into the Veeam system, regardless of Veeam patching or not might as well call it game over.
My most recent Veeam deployment last year, I decided to put all of the vmware, vcenter, Veeam, and backup (StoreOnce, and another Linux system running XFS with reflinks) systems on an isolated VLAN behind a restrictive firewall(restrictions inbound to the VLAN none on outbound), on top of that the Veeam server itself is not joined to the windows domain (which I think is regarded as good practice), also has Duo 2 factor auth on it as well(which is super easy to setup).
Not a Veeam expert by any means, technically that was my first ever install of Veeam though I have interacted with it in the past when it was setup by other people.
FWIW the Group-IB report does take a few reads to understand, and we've tried making our summary of it more clear. It does start with the abuse of the Fortinet VPN to gain RDP access to the failover. And then it all falls down.
But to get into the backup servers, the CVE was exploited, and that has credential stores that are useful for other parts of the network. Yes, the network is compromised with or without the CVE exploited. The Veeam bug just seems to make the ransomware deployment easier. AIUI.
C.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
