Sophos X-Ops has detailed the ongoing exploitation of a critical vulnerability in Veeam backup servers (CVE-2024-40711), mainly by threat actors associated with a cluster tracked as STAC 5881.
Tracked as CVE-2024-40711, the flaw is an input validation error that allows remote code execution.
Past attacks by the threat actor involved the deployment of Akira and Fog ransomware. Akira, first spotted in 2023, ceased operations around mid-October, while Fog ransomware, which emerged in May 2024, is still in operation. However, recent incidents show that STAC 5881 has now deployed a relatively new ransomware named “Frag.”
The attack begins with the compromise of VPN appliances, followed by exploitation of the Veeam vulnerability. In each observed case, the threat actor creates a local administrator account named “point” for persistence. In the latest incident involving Frag, however, analysts observed an additional account named “point2.”
According to Agger Labs, Frag ransomware operators focus on disabling or deleting organizational backups, often leaving companies with limited options but to consider negotiation with attackers. Frag is operated via command line, requiring attackers to set a specific encryption percentage. This ransomware appends a “.frag” extension to affected files.
Frag’s operators further exploit Cloudflare Tunnels to create encrypted channels that bypass firewall restrictions, allowing attackers to maintain communication with compromised networks without raising red flags. By leveraging legitimate, non-malicious programs in what's known as LOLBins (“living off the land” binaries), they evade traditional detection systems.