CISA Urges to Fix Backup Exec Bug Exploited to Deploy Ransomware

A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.

A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.

The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.

BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.


CVE Vendor/Project Product Vulnerability Name Date Added to Catalog Short Description Action Due Date
CVE-2021-27876 Veritas Backup Exec Agent Veritas Backup Exec Agent File Access Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine. Apply updates per vendor instructions. 2023-04-28
CVE-2021-27877 Veritas Backup Exec Agent Veritas Backup Exec Agent Improper Authentication Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. Apply updates per vendor instructions. 2023-04-28
CVE-2021-27878 Veritas Backup Exec Agent Veritas Backup Exec Agent Command Execution Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. Apply updates per vendor instructions. 2023-04-28
Source : CISA


  • March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
  • September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
  • October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.

Attack Phases of ALPHV

Initial Compromise and Establish Foothold

UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.

Internal Reconnaissance

Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.

The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.

With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.

Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.

Ingress Tool Transfer

Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.

C&C (Command and Control)

For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.

They used BITS Transfer to download several resources to the staging directory “C:ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.

Escalate Privileges

For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.

As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:WindowsSystem32mimilsa.log”.

Source: Mandiant
Source: Mandiant

Complete Mission

ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.


As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.

However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.


For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.

Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmpndmpsrvr]      + ndmpd.cpp (nnn):

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmpndmpsrvr]      | Session 1 started

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmpndmpsrvr]      – sslOpen() : Opening SSL for: 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmpndmpsrvr]      – sslOpen(): certinfo = 0x00000; sslConn = 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmpndmpcomm]      – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]

For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.

Indicators of Compromise

da202cc4b3679fdb47003d603a93c90d MIMIKATZ
5fe66b2835511f9d4d3703b6c639b866 NANODUMP
1f437347917f0a4ced71fb7df53b1a05 LIGOLO
b41dc7bef82ef384bc884973f3d0e8ca REVSOCKS
c590a84b8c72cf18f35ae166f815c9df Sysinternals PSEXEC
24b0f58f014bd259b57f346fb5aed2ea WINSW
e31270e4a6f215f45abad65916da9db4 REVSOCKS
4fdabe571b66ceec3448939bfb3ffcd1 Advanced Port Scanner
68d3bf2c363144ec6874ab360fdda00a LAZAGNE
ee6e0cb1b3b7601696e9a05ce66e7f37 ALPHV
f66e1d717b54b95cf32154b770e10ba4 METASPLOIT
17424a22f01b7b996810ba1274f7b8e9 METASPLOIT
To Top

Pin It on Pinterest

Share This