Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware
Briefly

In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled. Some of these VPNs were running unsupported software versions.
Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, 'point,' adding it to the local Administrators and Remote Desktop Users groups.
The active exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that enterprise backup and disaster recovery applications are valuable targets for cyber threat groups.
Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.
Read at The Hacker News
[
|
]