ALPHV ransomware affiliate detected exploiting Veritas Backup flaws

BleepingComputer reports that Mandiant has detected an affiliate of the ALPHV/BlackCat ransomware group gaining access to target networks by exploiting three vulnerabilities in Veritas Backup. The affiliate, which Mandiant is tracking under the "UNC4466" designation, was first observed exploiting the high-severity flaws CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 on Oct. 22, 2022. All three vulnerabilities impact the Veritas Backup software and enable malicious actors to gain unauthorized remote access to endpoints. Veritas disclosed the flaws in March 2021 and has since released patches, but Mandiant reports that a check through a commercial scanning service shows more than 8,500 IP addresses using the service and which are potentially vulnerable if they have not yet updated to the patched version. Mandiant reports that UNC4466 uses a publicly-available Metasploit module to exploit the flaw and after the initial breach, uses Advanced IP Scanner and ADRecon utilities to analyze the victim's environment. Following this, the attackers use the Background Intelligent Transfer Service to download tools including LAZAGNE, LIGOLO, RCLONE, WINSW, and the ALPHV ransomware encryptor.