CVE-2023-27532
published 2023-03-10CVE-2023-27532: Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to…
PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-09-12
Exploited in the wild
EPSS
77.61%
99.5th percentile
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | veeam_backup_replication | < 11.0.1.1261 | 11.0.1.1261 |
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 9401 on Veeam Backup & Replication servers for unauthenticated inbound connections; this port is the attack surface for CVE-2023-27532 credential dumping and RCE. ↗
- →Enable verbose API logging on Veeam servers by setting HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel to DWORD 7 and restarting VeeamBackupSvc; then monitor C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log for anomalous API calls indicative of exploitation. ↗
- →There are no child processes created and no filesystem or registry artifacts left behind during credential dumping exploitation; rely on API log analysis rather than process/file telemetry for detection. ↗
- →Post-patch, verify that all API requests to the Veeam Backup & Replication service require a valid JWT signed with the installation-specific certificate; requests with empty or invalid tokens should be rejected. ↗
- →Hunt for the presence of veeam.exe (SHA256: 45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a) on hosts, as it is a weaponized exploit binary for CVE-2023-27532 observed in threat actor tool repositories. ↗
- ·By default, Veeam Backup & Replication does not log API calls; LoggingLevel must be manually raised to 7 to capture exploitation evidence, meaning default deployments will have no log entries related to CVE-2023-27532 attacks. ↗
- ·The Veeam Backup & Replication API listens on all interfaces (0.0.0.0) by default, making port 9401 externally reachable unless explicitly firewalled; internet-exposed instances are at highest risk. ↗
- ·Vulnerable versions are any Veeam Backup & Replication builds prior to V12 (build 12.0.0.1420 P20230223) and V11a (build 11.0.1.1261 P20230227); use the provided PowerShell snippet against Veeam.Backup.Core.dll to confirm the installed build. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hh3c-xpmg-w5fr: Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained
ghsa_unreviewed·2023-03-11
CVE-2023-27532 [HIGH] CWE-306 GHSA-hh3c-xpmg-w5fr: Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
VulnCheck
Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-27532 [HIGH] CWE-306 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.
Affected: Veeam Backup & Replication
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://labs.withsecure.com/publications/fin7-target-veeam-servers; https://thehackernews.com/2023/05/n
CISA
Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
cisa·2023-08-22·CVSS 7.5
CVE-2023-27532 [HIGH] CWE-306 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
Vulnerability: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
Affected: Veeam Backup & Replication
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.veeam.com/kb4424; https://nvd.nist.gov/vuln/detail/CVE-2023-27532
Remediation Due Date: 2023-09-12
Suricata
ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532)
suricata·2024-09-26·CVSS 7.5
CVE-2023-27532 [HIGH] ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532)
ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532)
Rule: alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532)"; flow:established,to_server; content:""; content:"xp_cmdshell"; fast_pattern; reference:cve,2023-27532; classtype:attempted-admin; sid:2056209; rev:1; metadata:attack_target Server, created_at 2024_09_26, cve CVE_2023_27532, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
No public exploits indexed.
Checkpoint
23rd February – Threat Intelligence Report
blogs_checkpoint·2026-02-23
CVE-2023-27532 23rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrus
Bleepingcomputer
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
blogs_bleepingcomputer·2026-02-21
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
## Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
## Lawrence Abrams
Article updated at the bottom with additional technical details about this campaign.
Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.
A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls.
Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.
Moses says the compromised
Bleepingcomputer
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
blogs_bleepingcomputer·2025-11-13
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## Lawrence Abrams
US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.
An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk files.
The advisory includes new indicators of compromise and tactics observed through FBI investigations and third-party reporting as recent as November 2025.
## Encrypting Nutanix VMs in attacks
The advisory warns that in June 2025 Akira actors started to encrypt disk files for Nutanix
Trendmicro
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
blogs_trendmicro·2025-08-20
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Ransomware
# Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments.
By: Jeffrey Francis Bonaobra, Joshua Aquino, Mohammed Malubay, John Paul Lim, Emmanuel Panopio, Emmanuel Roll, Melvin Singwa, Carl Jayson Peliña, Armando Nathaniel Pedragoza
2025/08/20
Read time: ( words)
Save to Folio
Key takeaways
- Warlock ransomware operators exploited vulnerable Microsoft SharePoint servers, using targeted HTTP POST requests to upload web shells, enabling reconnaissance and credential theft. More details on these vulnerabilities and how Trend Micro protects
Qualys
Lessons from Qilin: What the Industry’s Most Efficient Ransomware Teaches Us
blogs_qualys·2025-06-18
Lessons from Qilin: What the Industry’s Most Efficient Ransomware Teaches Us
## Table of Contents
Qilin Ransomware Explained: Language, Affiliations, and Targeting Patterns
Rethink Ransomware Defense: Why Qilin Is a Wake-Up Call for Resilience
How to Prepare for Threats Like Qilin: Strategic Readiness Starts Left of Boom
MITRE ATT&CK
Conclusion
Get Ahead of Whats Next
Qilin has quietly become one of the most active and impactful ransomware operations in the world today . If it’s not already on your threat radar, now is the time to take notice. This blog unpacks how Qilin operates, why it’s gaining traction across cybercriminal networks, and what steps security teams can take to get ahead of it before it becomes a response priority.
Let us first understand why it has rapidly gained popularity on the Dark Web and is now the top ransomware threat in the world.
Qualys
Qilin Ransomware Explained | Understanding Cyber Attacks & Defense | Qualys
blogs_qualys·2025-06-18
Qilin Ransomware Explained | Understanding Cyber Attacks & Defense | Qualys
#### Table of Contents
- Qilin Ransomware Explained: Language, Affiliations, and Targeting Patterns
- Rethink Ransomware Defense: Why Qilin Is a Wake-Up Call for Resilience
- How to Prepare for Threats Like Qilin: Strategic Readiness Starts Left of Boom
- MITRE ATT&CK
- Conclusion
- Get Ahead of Whats Next
Qilin has quietly become one of the most active and impactful ransomware operations in the world today. If it’s not already on your threat radar, now is the time to take notice. This blog unpacks how Qilin operates, why it’s gaining traction across cybercriminal networks, and what steps security teams can take to get ahead of it before it becomes a response priority.
Let us first understand why it has rapidly gained popularity on the Dark Web and is now the top ransomware threat in th
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
#### Table of Contents
- Who is LockBit? How it Evolved and Operates
- Monero: The Coin of the Realm
- Patch or Mitigate Now: Critical CVEs Exploited by LockBit
- Beyond Traditional Endpoints: Other Compromised Systems
- Initial Access and Deployment
- Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Huntress
Securing Endpoints from Common Vulnerabilities
blogs_huntress·2025-03-28
Securing Endpoints from Common Vulnerabilities
Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices—laptops, desktops, servers, IoT, and more—are like unlocked doors waiting for threat actors to stroll through. And here’s the kicker: many of these vulnerabilities are shockingly common and easily preventable.
Let’s break down the weaknesses we most frequently track across three million endpoints (not a bad sample size!) and what you can do to patch those holes before a threat actor sneaks in and wreaks havoc.
## Remote Desktop Protocol (RDP): The open back door
Remote Desktop Protocol is a prolific protocol used for remote connectivity, but it’s also one of the most common ways threat actors gain access to endpoint devices. In fact, up to 70% of organizations h
Sentinelone
RansomHub
blogs_sentinelone·2025-01-08
RansomHub
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Dfir Report
The Curious Case of an Egg-Cellent Resume
blogs_dfir_report·2024-12-02·CVSS 7.5
[HIGH] The Curious Case of an Egg-Cellent Resume
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Bleepingcomputer
Critical Veeam RCE bug now used in Frag ransomware attacks
blogs_bleepingcomputer·2024-11-08·CVSS 9.8
CVE-2024-40711 [CRITICAL] Critical Veeam RCE bug now used in Frag ransomware attacks
## Critical Veeam RCE bug now used in Frag ransomware attacks
## Sergiu Gatlan
After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.
Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers.
watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4.
Code White also delayed sharing more details wh
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
## Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to mo
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due
Bleepingcomputer
Akira and Fog ransomware now exploit critical Veeam RCE flaw
blogs_bleepingcomputer·2024-10-10·CVSS 9.8
CVE-2024-40711 [CRITICAL] Akira and Fog ransomware now exploit critical Veeam RCE flaw
## Akira and Fog ransomware now exploit critical Veeam RCE flaw
## Sergiu Gatlan
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
Code White security researcher Florian Hauser found that the security flaw, now tracked as CVE-2024-40711, is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit in low-complexity attacks.
Veeam disclosed the vulnerability and released security updates on September 4, while watchTowr Labs published a technical analysis on September 9. However, watchTowr Labs delayed publishing proof-of-concept exploit code until September 15 to give admins enough time to secure their servers.
The delay w
Bleepingcomputer
NoName ransomware gang deploying RansomHub malware in recent attacks
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
[HIGH] NoName ransomware gang deploying RansomHub malware in recent attacks
## NoName ransomware gang deploying RansomHub malware in recent attacks
## Bill Toulas
The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate.
The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472).
In more recent attacks NoName uses the ScRansom ransomware, which replaced the Scarab encryptor. Additionally, the threat actor tried to make a name by experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak
Checkpoint
15th July – Threat Intelligence Report
blogs_checkpoint·2024-07-15
CVE-2024-38112 15th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
American telecom giant AT&T has disclosed a massive data breach that exposed personal information of 110M of its customers. The data was stolen from the company’s workspace on a third-party cloud platform, referring to Snowflake. The leaked data allegedly includes the full metadata of all of AT&T mobile customers, which can be
Bleepingcomputer
Veeam warns of critical Backup Enterprise Manager auth bypass bug
blogs_bleepingcomputer·2024-05-21·CVSS 7.5
[HIGH] Veeam warns of critical Backup Enterprise Manager auth bypass bug
## Veeam warns of critical Backup Enterprise Manager auth bypass bug
## Sergiu Gatlan
Veeam warned customers today to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM).
VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments.
It's important to note that VBEM isn't enabled by default, and not all environments are susceptible to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has rated with a CVSS base score of 9.8/10.
"This vulnerability in Veeam Backup Ent
Talos
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
blogs_talos·2024-04-25
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.
The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.
Talos IR Quarterly Trends
Talos
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
blogs_talos·2024-04-25
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
## Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter .
The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Huntress
Bitter Pill: Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack | Huntress
blogs_huntress·2023-11-09
Bitter Pill: Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack | Huntress
In a concerning development within the healthcare sector, Huntress has identified a series of unauthorized access that signifies internal reconnaissance and preparation for additional threat actor activity against multiple healthcare organizations.
The attackers abused a locally hosted instance of a widely-used remote access tool, ScreenConnect—utilized by the company Transaction Data Systems (which recently merged with and was renamed Outcomes), the makers of Rx30 and ComputerRx software — for initial access to victim organizations. The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments.
## Overview
In this article, there are multiple ScreenConnect
Huntress
Veeam Backup & Replication CVE-2023-27532 Response | Huntress
blogs_huntress·2023-03-13·CVSS 7.5
CVE-2023-27532 [HIGH] Veeam Backup & Replication CVE-2023-27532 Response | Huntress
UPDATE 03/13/2023 2252 ET: After taking further inventory of our partner's Veeam service binary details to review the version number, we uncovered many more unpatched and vulnerable hosts. We are sending incident reports for all affected partners and making direct phone calls when Veeam is publicly exposed on the Internet.
On 7 March 2023, Veeam published a knowledge base article outlining CVE-2023-27532 , a vulnerability in the Veeam Backup & Replication component that allowed an unauthenticated user to retrieve host credentials stored in the configuration database.
This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. With access to the open TCP port 9401 , any individual could obtain credentials and potentially move l
Huntress
Veeam Backup & Replication CVE-2023-27532 Response | Huntress
blogs_huntress·CVSS 7.5
CVE-2023-27532 [HIGH] Veeam Backup & Replication CVE-2023-27532 Response | Huntress
UPDATE 03/13/2023 2252 ET: After taking further inventory of our partner's Veeam service binary details to review the version number, we uncovered many more unpatched and vulnerable hosts. We are sending incident reports for all affected partners and making direct phone calls when Veeam is publicly exposed on the Internet.
On 7 March 2023, Veeam published a knowledge base article outlining CVE-2023-27532, a vulnerability in the Veeam Backup & Replication component that allowed an unauthenticated user to retrieve host credentials stored in the configuration database.
This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. With access to the open TCP port 9401, any individual could obtain credentials and potentially move lat
Sentinelone
RansomHub
blogs_sentinelone
RansomHub
## RansomHub Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is RansomHub Ransomware?
RansomHub operations were first observed in February of 2024. Since then, the group has drawn heavily upon its ability to recruit and attract operators from other, sometimes imploding, extortion operations. Upon the collapse of ALPHV, for example, multiple affiliates migrated to RansomHub, hoping to monetize their stolen data through them. RansomHub has been associated with the re-extortion of ransomware victims, including high-value healthcare organizations. Primary operators behind RansomHub have openly recruited affiliates from other ransomware operations via their various communication channels, including DLS sites, forum posts, and Telegram.
Operating primarily as a Ransomware-as-
Huntress
Securing Endpoints from Common Vulnerabilities | Huntress
blogs_huntress
Securing Endpoints from Common Vulnerabilities | Huntress
Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices—laptops, desktops, servers, IoT, and more—are like unlocked doors waiting for threat actors to stroll through. And here’s the kicker: many of these vulnerabilities are shockingly common and easily preventable.
Let’s break down the weaknesses we most frequently track across three million endpoints (not a bad sample size!) and what you can do to patch those holes before a threat actor sneaks in and wreaks havoc.
## Remote Desktop Protocol (RDP): The open back door
Remote Desktop Protocol is a prolific protocol used for remote connectivity, but it’s also one of the most common ways threat actors gain access to endpoint devices. In fact, up to 70% of organizations h
Huntress
Untold Tales from Tactical Response | Huntress
blogs_huntress
Untold Tales from Tactical Response | Huntress
Security professionals are constantly ingesting threat reports, write-ups, and blogs on various defensive and offensive techniques. These include detailed write-ups on actual intrusions.
Here, we’d like to continue this trend, but with a slight twist.
Rather than present a neat timeline of events (although we’ll do this too), we’ll approach this particular write-up from the point of view of the actual analyst performing the investigation for this case.
Every intrusion is different, and so too are the investigative paths that unravel them.
Join us as we walk you through one of these paths!
## It Begins
Although we may think of intrusions as linear, with the attack progressing neatly from step one to step two and so forth, that’s rarely how the intrusion comes into focus from an analys
Huntress
Bitter Pill: Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack | Huntress
blogs_huntress
Bitter Pill: Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack | Huntress
In a concerning development within the healthcare sector, Huntress has identified a series of unauthorized access that signifies internal reconnaissance and preparation for additional threat actor activity against multiple healthcare organizations.
The attackers abused a locally hosted instance of a widely-used remote access tool, ScreenConnect—utilized by the company Transaction Data Systems (which recently merged with and was renamed Outcomes), the makers of Rx30 and ComputerRx software — for initial access to victim organizations. The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments.
## Overview
In this article, there are multiple ScreenConnect
2023-03-10
Published
2023-08-22
Added to CISA KEV
Exploited in the wild