Threat actors are currently exploiting a patched vulnerability in Veeam Backup & Replication to deploy Akira and Fog ransomware, according to cybersecurity firm Sophos. These attacks, tracked over the past month, involve using compromised VPN credentials and CVE-2024-40711, a critical vulnerability rated 9.8/10 on the CVSS scale. This flaw allows unauthenticated remote code execution and was patched by Veeam in version 12.2 of Backup & Replication in September 2024.

Security researcher Florian Hauser from CODE WHITE identified and reported the vulnerability. The attacks typically began with access to targets via compromised VPN gateways lacking multifactor authentication, some of which were running outdated software. Attackers used the vulnerability in Veeam by exploiting the URI “/trigger” on port 8000, causing Veeam.Backup.MountService.exe to execute net.exe. This allowed the creation of a local account, “point,” with administrator and remote desktop access.

In one incident involving Fog ransomware, attackers used the rclone utility to steal data from an unprotected Hyper-V server, while other attempts to deploy ransomware were unsuccessful.

NHS England issued a warning, emphasizing that enterprise backup and disaster recovery systems are prime targets for cyberattacks. Meanwhile, Palo Alto Networks’ Unit 42 highlighted the emergence of Lynx ransomware, a variant of INC ransomware that has been active since July 2024. INC ransomware, first seen in 2023, shares significant code with Lynx. The new variant likely arose after INC’s source code was sold on underground markets.

The U.S. Department of Health and Human Services also warned of a new ransomware strain called Trinity, active since May 2024 and suspected to be a rebrand of 2023Lock and Venus ransomware. Trinity uses phishing, malicious websites, and software vulnerabilities to infiltrate systems and employ a double extortion strategy.

Additionally, a financially motivated threat actor has been deploying a MedusaLocker variant, BabyLockerKZ, targeting organizations in Europe and South America since October 2022. This actor uses publicly available tools and living-off-the-land binaries (LoLBins) to assist in credential theft and lateral movement within compromised networks.