A gang of hackers has targeted a year-old vulnerability in Veeam’s backup software. Anyone who has not implemented the patch now has to fear for their backups.

A hacker gang operating under the name EstateRansomware is targeting users of Veeam Backup & Replication. The victims’ backups are encrypted in order to demand ransom. Group IB, a security company from Singapore, explains in a blog Mode of operation the gang.

Using a “dormant account,” the attackers gain access via VPN and connect to a server within the victim’s Veeam environment. They then gain full access to the backup servers via the backdoor in the Veeam software and can retrieve data from these servers.

Those who refuse to follow rules shall feel the consequences

Anyone who falls victim to EstateRansomware should take their own initiative. The vulnerability, known as CVE-2023-27532, is not an unknown problem, especially for Veaam. The backup specialist emphasized to The Register that a patch has been available since March 2023. All versions of Backup & Replication from 11a onwards fix the vulnerability. At the time the patch was released, the vulnerability was already being actively exploited.

A forewarned company is worth two, but those who refuse to listen will sooner or later have to pay the price. This is a prime example of why you should always implement patches as soon as possible. The time your servers are limited or unreachable is a minor inconvenience compared to the damage hijacked backups can cause. It is unknown how many Veeam servers are still vulnerable and where they are located.

There are other recent vulnerabilities in Veeam’s backup software to worry about. In May, Veeam reported a vulnerability in Backup Enterprise Manager, but it doesn’t pose a threat to your backups.