FIN7 tradecraft seen in attacks against backup servers

WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. The research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group.

It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532[1]. FIN7 is a financially motivated cybercrime group with roots dating back to mid-2010s. The group has been involved in several high-profile, large-scale attacks over the years. The group’s tradecraft and modus operandi have evolved over their multi-year history, developing new tools[2], expanding their operations[3], as well as affiliating with other threat actors[4].

WithSecure™ Elements Endpoint Detection and Response as well as WithSecure™ Countercept Detection and Response detects multiple stages of the attack lifecycle. These will generate incidents with detailed detections. WithSecure™ Elements Endpoint protection offers multiple detections that detect the malware and its behavior. Ensure that real-time protection as well as DeepGuard are enabled. You may run a full scan on your endpoint.

This blogpost provides an analysis of intrusions we have observed, along with a timeline of these attacks: https://labs.withsecure.com/