Home / Threat Intelligence bulletins / Veeam backup servers targeted by threat actors

Target Industry

Indiscriminate, opportunistic targeting.


A vulnerability within Veeam backup servers, tracked as CVE-2023-27532 (CVSSv3 Score: 7.5 – High Severity Level), is being exploited by threat actors associated with ransomware deployment. The vulnerability exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure. This could be used to access the backup infrastructure hosts.

Following the disclosure of the security flaw, Horizon3 released a Proof-of-Concept (PoC) exploit code which demonstrated that a threat actor exploited the vulnerability to execute code remotely with the highest privileges.

The associated attacks have an attack profile which resembles that of the threat actor, FIN7.


Successful exploitation of CVE-2023-27532 allows encrypted credentials stored in the Veeam configuration database to be obtained which could allow threat actors to gain access to the backup infrastructure hosts.

Incident Detection

Security updates have been released with regards to this vulnerability. As such, previous product versions are vulnerable to potential exploit.

Affected Products

– Veeam Backup & Replication

– Veeam Cloud Connect

– Veeam Cloud Connect for the Enterprise

– Veeam Backup & Replication Community Edition

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected Veeam products apply the relevant updates as soon as possible. The associated steps and further details can be found within the Veeam Advisory.

Indicators of Compromise

FIN7 associated file hashes (SHA256):

– 212fb6e63ec99e937654a5b6b840acd06482e6f718dc708438868712c601d727

– 61cfe83259640df9f19df2be4b67bb1c6e5816ac52b8a5a02ee8b79bde4b2b70

– e5af0b9f4650dc0193c9884507e6202b04bb87ac5ed261be3f4ecfa3b6911af8

– 7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131

– d1e14b5f02fb020db4e215cb5c3abc6a7b1589443bccd6f03b77ee124ca72b5c

– ea5de5558396f66af8382afd98f2a7118a6bcabf8f9612c7e35b121a8d1f230c

– 188d76c31fa7f500799762237508203bdd1927ec4d5232cc189d46bc76b7a30d

– 1e5514e8f95dcf6dd7289acef6f6b88c460105660cb0c5b86ec7b854f70ee857

– 4d933b6b60a097ad5ce5876a66c569e6f46707b934ebd3c442432711af195124

– 7d48362091d710935726ab4d32bf594b363683e8335f1ee70ae2ae81f4ee36ca

– 98fbccd9c2e925d2f7b8bcfa247790a681497dfb9f7f8745c0327c43db10952f

– b8691a33aa99af0f0c1a86321b70437efcf358ace1cf3f91e4cb8793228d1a62

– e908f99c6753a56440127e54ce990adbc5128d10edc11622d548ddd67e6662ac

– fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce

– 8259fcfeeaef2aa6214a8f3f8fd783c3cdb58693c2f93d6d7899e357d5ad6518

– d772f7eb5108fad7964ec66f5d7eaee2e6612b980b98f55fd7bc8db1a94966ca

– b14ab379ff43c7382c1aa881b2be39275c1594954746ef58f6a9a3535e8dc1a8

– de9b3c01991e357a349083f0db6af3e782f15e981e2bf0a16ba618252585923a

FIN7 associated domains:

– es-megadom[.]com

– civilizationidium[.]com

– conglomeratoid[.]com

– jardinoks[.]com

– keywordsance[.]com

– tnskvggujjqfcskwk[.]com

– groundworkseasy[.]com

– courtlincolnglave[.]com

– pq[.]hosting

– whiteheadcanesyrup[.]com

– widisusez[.]com

– sec[.]gov

FIN7 associated IP addresses:

– 185[.]225[.]17[.]202

– 45[.]67[.]34[.]236

– 5[.]182[.]37[.]118

– 88[.]119[.]175[.]124

– 94[.]158[.]247[.]72

– 178[.]23[.]190[.]73

– 45[.]67[.]229[.]148

– 109[.]234[.]38[.]249

– 118[.]163[.]216[.]107

– 174[.]143[.]147[.]168

– 87[.]106[.]8[.]177

– 91[.]194[.]254[.]93

– 146[.]185[.]220[.]200

– 149[.]154[.]68[.]48

– 162[.]221[.]183[.]11

– 188[.]138[.]98[.]105

– 188[.]40[.]224[.]76

– 195[.]2[.]92[.]62

– 91[.]194[.]254[.]90

– 91[.]194[.]254[.]94

Threat Landscape

The motivation of the threat actors involved in this campaign remains unclear due to a disruption in the attack chain. However, considering their nature, it is likely that the deployment of ransomware and data theft is the final objective.

Threat Group

Security researchers have noted that the initial attacks targeted Veeam products that were exposed to the public web, and that the attack profile of the threat actors contained similarities to that attributed to FIN7. Further analysis showed that the threat actor initially executed the PowerTrash PowerShell script, the names of which have been observed in previous attacks associated with FIN7. Additional techniques akin to FIN7 were also observed, including command-line execution patterns.

FIN7 is known for its affiliation with notorious ransomware operations, including those of the Conti syndicate, Maze, Egregor, and Black Basta. FIN7 were recently detected as working with former Conti members to distribute a new malware strain, dubbed “Domino”, that provides access to the compromised host and also results in the establishment of a Cobalt Strike beacon for the purposes of persistence.

Mitre Methodologies

Common Weakness Enumeration:

CWE-306 – Missing Authentication for Critical Function

Further Information

Veeam Advisory

WithSecure Report

Intelligence Terminology Yardstick