Hackers are exploiting a significant vulnerability in Veeam Backup & Replication software known as CVE-2024-40711 to deploy ransomware.

Florian Hauser of CODE WHITE Gmbh reported the vulnerability, which allows for unauthenticated remote code execution (RCE). Sophos X-Ops MDR and Incident Response have tracked it.

Over the last month, Sophos has seen several attacks that use compromised credentials and the CVE-2024-40711 vulnerability to create unauthorized accounts and attempt to install ransomware.

In one case, attackers successfully dropped "Fog ransomware" on an unsecured Hyper-V server, while another attempted to install Akira ransomware. The indicators for all four incidents coincide with previous Akira and Fog ransomware outbreaks.

The attackers formerly acquired access to targets using hacked VPN gateways that lacked multifactor authentication, some of which were running unsupported software versions.

They then exploited the Veeam vulnerability by running Veeam.Backup.MountService.exe at the URI /trigger on port 8000, which launched net.exe and created a local user called "point." This account was added to the local Administrators and Remote Desktop user groups, giving attackers elevated access to the system.