CVE-2024-40711: Hackers Exploit Veeam Vulnerability to Deploy Frag Ransomware

Cybercriminals have begun actively exploiting a vulnerability in the widely used software Veeam Backup & Replication to spread a new ransomware known as “Frag.” The vulnerability, identified as CVE-2024-40711, enables remote code execution without authentication and has a critical CVSS severity rating of 9.8 out of 10.

Researchers at Sophos X-Ops reported that the attacks are linked to a threat group designated as STAC 5881. These hackers first infiltrate networks using vulnerable VPN devices, then deploy the Veeam exploit to create fake administrator accounts.

The issue affects Veeam Backup & Replication versions up to and including 12.1.2.172. Veeam, a popular backup solution with over 550,000 customers worldwide—including 74% of Global 2000 companies—released patches to address the vulnerability in early September 2024.

Previously, STAC 5881 used well-known ransomware strains Akira and Fog. However, attacks involving the newly identified malware Frag have only recently come to light. According to Sean Gallagher, lead researcher at Sophos X-Ops, the attack methodology remains consistent: attackers first gain access via a vulnerable VPN, then exploit the Veeam vulnerability, creating the “point” and “point2” accounts.

Frag is executed via the command line, requiring users to specify the degree of file encryption as a percentage. All encrypted files are appended with the extension “.frag.” Sophos has already integrated detection for this malware into its endpoint protection tools.

Veeam Backup & Replication users are advised to immediately install the latest updates. Additionally, isolating backup servers from the internet, enabling multi-factor authentication, and implementing monitoring to detect suspicious activity are strongly recommended.