ALPHV Ransomware Affiliate targets vulnerable backup installations to gain initial access

Mandiant has identified a new affiliate of ALPHV (BlackCat ransomware), identified as UNC4466, that targets publicly exposed Veritas Backup Exec installations that are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE- 2021-27878 for an initial intrusion into the victims’ networks.

Mandiant reveals that in late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.

After gaining access to the Veritas Backup Exec server, UNC4466 used Internet Explorer – which is installed by default on outdated Windows systems – to download Famatech’s Advanced IP Scanner from its website, hxxps://download.advanced-ip- scanner[.]com.

This program is able to thoroughly scan individual IP addresses ή address ranges for any open ports and provides details such as hostnames, operating system and hardware manufacturer information.

UNC4466 also made use of ADRecon to gather network, account, and host information in the victim’s environment, Mandiant researchers revealed. “When executed by a privileged domain account, ADRecon generates several reports about the Active Directory environment, including the Trusts, Sites, Subnets, password policies, user and computer account listings. These reports can be generated in a variety of formats, including CSV, XML, JSON, and HTML.”

The UNC4466 malicious group relied heavily on the Background Intelligent Transfer Service (BITS) to download a variety of tools that included LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware.

Indicators of Compromise

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!