ALPHV ransomware affiliate UNC4466 abuses weak backup installations for initial access

Threat intelligence company Mandiant has observed a new ALPHV, aka BlackCat ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878, for initial access to victim environments. A commercial Internet scanning service identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be unpatched and vulnerable. 

“On October 22, 2022, Mandiant first observed exploitation of the Veritas vulnerabilities in the wild,” Jason Deyalsingh, Nick Smith, Eduardo Mattos, and Tyler McLellan, Mandiant researchers wrote in a company blog post. “On September 23, 2022, a METASPLOIT module was released which exploits these vulnerabilities and creates a session which the threat actor can use to interact with the victim system. In March 2021, Veritas published an advisory reporting three critical vulnerabilities in Veritas Backup Exec 16.x, 20.x and 21.x.”

Mandiant calls upon organizations to implement secure access controls, segmenting networks, enabling multi-factor authentication, and regularly testing and evaluating backup strategies to limit the impact of a ransomware attack. Additionally, organizations should inventory externally facing services and reduce the attack surface available to attackers.

“As of this blog post’s date, one commercial Internet scanning service reported over 8500 IP addresses which advertise the ‘Symantec/Veritas Backup Exec ndmp’ service on the default port 10000, as well as port 9000 and port 10001,” the researchers said. “While this search result does not directly identify vulnerable systems, as the application versions were not identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by attackers.” 

ALPHV emerged in November 2021 as a ransomware-as-a-service that some researchers have claimed is the successor to BLACKMATTER and DARKSIDE ransomware. While some ransomware operators enacted rules to avoid impacting critical infrastructure and health entities, ALPHV has continued to target these sensitive industries.

Previous ALPHV intrusions investigated by Mandiant primarily originated from stolen credentials suggesting a shift to opportunistic targeting of known vulnerabilities. This blog post covers the UNC4466 attack lifecycle, indicators, and detection opportunities.

Last April, the Federal Bureau of Investigation (FBI) released an alert with updated details of the indicators of compromise (IOCs) used by the BlackCat/ALPHV ransomware, highlighting that the hackers continue to be active adversaries.

“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” the FBI wrote in the FLASH alert. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount, it added.

Mandiant reveals that in late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.

“After gaining access to the Veritas Backup Exec server, UNC4466 used Internet Explorer, the browser installed by default on older Windows systems, to download Famatech’s Advanced IP Scanner from its website, hxxps://download.advanced-ip-scanner[dot]com,” according to the blog. “This tool is capable of scanning individual IP addresses or IP address ranges for open ports, and returns hostnames, operating system and hardware manufacturer information.”

UNC4466 also made use of ADRecon to gather network, account, and host information in the victim’s environment, Mandiant researchers revealed. “When executed by a privileged domain account, ADRecon generates several reports about the Active Directory environment, including the Trusts, Sites, Subnets, password policies, user and computer account listings. These reports can be generated in a variety of formats, including CSV, XML, JSON, and HTML.”

The hackers utilized multiple credential access tools, including Mimikatz, LaZagne and Nanodump to gather clear-text credentials and credential material, according to Mandiant. “In November 2022, UNC4466 utilized the MIMIKATZ Security Support Provider injection module (`MISC::MemSSP`). This module collects credentials in clear text as they are used, by manipulating the Local Security Authority Server Service (LSASS) on victim systems. This module creates a file named `C:\Windows\System32\mimilsa[dot]log,`” the post added.

UNC4466 has been identified to have made heavy use of the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.

Furthermore, UNC4466 leveraged SOCKS5 tunneling to communicate with compromised systems in the victim network. This technique is typically used to evade network defenses or other preventative network controls. Two separate tools were deployed to execute this technique, LIGOLO and REVSOCKS.

Mandiant also revealed that during operations, UNC4466 takes steps to evade detection. Apart from clearing event logs, UNC4466 also used the built in Set-MpPrefernce cmdlet to disable Microsoft Defender’s real-time monitoring capability.

“UNC4466 made use of BITS transfers (using the Start-BitsTransfer PowerShell cmdlet) to download various resources to the staging directory `c:\ProgramData`. Using this technique, SOCKS5 tunneling tools, REVSOCKS and LIGOLO were downloaded from their official GitHub repositories,” the post said. “UNC4466 deploys the Rust-based ALPHV ransomware. In Late 2022, UNC4466 added immediate tasks to the default domain policy. These tasks were configured to perform actions which disabled security software, downloaded the ALPHV encryptor, then execute it.”

Last week, Mandiant assessed with ‘high confidence’ that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cyber crime to fund operations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.