Security News > 2023 > April > ALPHV ransomware exploits Veritas Backup Exec bugs for initial access
An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network.
Mandiant tracks the ALPHV affiliate as 'UNC4466' and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.
Mandiant says that a commercial scanning service showed that there are on the public web more than 8,500 IP addresses that advertise the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000 and on ports 9000 and 10001.
As per Mandiant's observations, UNC4466 compromises an internet-exposed Windows server running Veritas Backup Exec by using the publicly-available Metasploit module and maintains persistent access to the host.
The researchers explain that UNC4466 used BITS transfers to download SOCKS5 tunneling tools and deployed the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing the encryptor.
Mandiant's report provides guidance that defenders can follow to detect UNC4466 attacks timely and mitigate them before the ALPHV payload is executed on their systems.