Indicators of compromise about CVE-2023-27532

Source of this topic, and where you can find more and more and even the POC:

https://www.huntress.com/blog/veeam-backup-replication-cve-2023-27532-response

They’re truly amazing in cybersecurity.

And now let’s talk about catch some indicators of compromise.

Despite the absence of any child processes resulting from the exploit, records are produced and stored in the directory

C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log

However, the default logging configuration does not capture API calls. To detect attack techniques in the Svc.VeeamBackup.log, one must manually modify the log level as it is not configured by default. The Windows registry value

HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel

is preset to a DWORD value of 4, which does not log API calls. To monitor API calls, the value must be adjusted to 7.

It their article, they do the POC and the results of that compromise is showed as in this logging code section:

https://gist.github.com/JohnHammond/bab3faa472ab5c241a52cfe8f55d4cc7#file-veeam_poc_logs-txt

The Veeam knowledge base advisory states that the credentials are encrypted, but not returned in plaintext by the database manager. Instead, encrypted values and account UUIDs are provided. With the account identifiers, API calls can be executed to decrypt the credentials into a Base64 encoding of the original value.

Again. Patch right now.

Here’s direct link to KB and patches for v11 ad V12: https://www.veeam.com/kb4424

Last updated