Threat Awareness – ALPHV/BlackCat Ransomware Threat Actor Exploited Veritas Backup Flaw for Initial Access

An affiliate of the ALPHV/BlackCat ransomware group exploited three vulnerabilities in the Veritas Backup product to gain initial access to a victim’s network, according to security researchers at Mandiant. Members who use Veritas Backup Exec are encouraged to review this report and verify your systems have been patched for the exploited vulnerabilities.

Mandiant researchers first observed BlackCat affiliates abuse Veritas exploits in October 2022. The high-severity exploits that were targeted are tracked as, CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878. All three flaws impact the Veritas Backup software. The vendor disclosed them in March 2021 and released a patch with version 21.2. However, more than two years later, many endpoints remain vulnerable as they have not updated their systems (underscoring the importance of timely patching). According to Mandiant, BlackCat threat actors compromised an internet-exposed Windows server, running Veritas Backup Exec and used the publicly available Metasploit module to maintain persistence on the network allowing them to conduct additional malicious activity. WaterISAC encourages members to visit CISA’s StopRansomware.gov for a comprehensive repository of resources to tackle ransomware more effectively. Access the original report at Mandiant or read more at BleepingComputer.