December 11, 2024
VEEAM exploit seen used once more with a brand new ransomware: “Frag” – Sophos Information

Final month, Sophos X-Ops reported several MDR cases the place risk actors exploited a vulnerability in Veeam backup servers. We proceed to trace the actions of this risk cluster, which just lately included deployment of a brand new ransomware. The vulnerability, CVE-2024-40711, was used as a part of a risk exercise cluster we named STAC 5881. Assaults leveraged compromised VPN home equipment for entry and used the VEEAM vulnerability to create a brand new native administrator account named “level”.

Some instances on this cluster led to the deployment of Akira or Fog ransomware. Akira was first seen in 2023; its leak web site was offline briefly in October, however is again on-line and we proceed to see Akira assaults. Fog emerged earlier this 12 months, first seen in Might. In a current case MDR analysts as soon as once more noticed the ways related to STAC 5881 – however this time noticed the deployment of a previously-undocumented ransomware referred to as “Frag”.

Determine 1: The Frag ransom be aware.

Just like the earlier occasions, the risk actor used a compromised VPN equipment for entry, leveraged the VEEAM vulnerability, and created a brand new account named ‘level’.
Nevertheless on this incident a ‘point2’ account was additionally created.

Frag is executed on the command line with plenty of parameters, with one required: share of file encryption. The attacker can specify directories or particular person recordsdata to encrypt.

Determine 2. The Frag ransomware comes with a assist parameter to information attackers.

When encrypted, recordsdata are given a .frag extension. On this case, the ransomware was blocked by Sophos endpoint safety’s CryptoGuard function.  A detection for the ransomware binary has since been added.

Determine 2: The “.frag” extension added to encrypted recordsdata.

The similarity within the ways, strategies and practices of the actor behind Frag to these utilized by Akira and Fog risk actors has additionally been noticed by Agger Labs. Sophos X-Ops is carefully monitoring this attainable emergence of a brand new ransomware participant with behaviors beforehand seen in Akira ransomware. We are going to proceed to trace this risk habits. We are going to replace this publish with extra technical particulars as they turn into obtainable.