Security News > 2023 > April > Hackers target vulnerable Veeam backup servers exposed online
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication software.
Threat researchers at Finnish cybersecurity and privacy company WithSecure note in a report this week that the attacks they observed in late March targeted servers running Veeam Backup and Replication software that were accessible over the public web.
While performing a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response, the researchers noticed some Veeam servers that generated suspicious alerts.
Once they got access to the host, the hackers used their malware, various commands, and custom scripts to collect system and network information, as well as credentials from the Veeam backup database.
WithSecure recommends organizations that use Veeam Backup and Replication software heed the information they provided and use it to look for signs of compromise on their network.
News URL
Related news
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Veeam and IBM Release Patches for High-Risk Flaws in Backup and AIX Systems (source)
- Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware (source)
- ASUS releases fix for AMI bug that lets hackers brick servers (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)