Commvault Under Attack! Patch NOW or Risk Total System Takeover

As our digital world rapidly expands, so do the threats to our data security at an alarming new level of sophistication. MetaBlock X is issuing an urgent warning to all Commvault users: a critical vulnerability has been identified that could lead to a complete system takeover. You should be moving urgently to update your systems. This is a crucial first step to protect against data loss, ransomware cyberattacks, and major business disruptions.

This vulnerability is critical because it could be exploited by an unauthenticated remote attacker to execute arbitrary code on vulnerable systems. An attacker can gain complete control of the Commvault Command Center environment. They don’t need any special login credentials to get it done either. Such a breach as they experienced can have catastrophic consequences. It can lead to data destruction, data corruption, and in some cases, the theft of sensitive personal information.

MetaBlock X’s team is deeply aware that data is the heartbeat of any organization. A backup system that has been compromised can quickly cause permanent data loss, crippling organizations with hefty financial costs and reputational harm. Data security is no longer only a compliance issue, it’s an issue of protecting the company’s future.

Understanding the Threat: A Deep Dive

This vulnerability is extra pernicious because it is a pre-authenticated RCE, meaning exploitation does not require any authentication. In addition, the attacker has to exploit the vulnerability without having logged into the website. They do not require any advance notice or permission to execute their assault. This greatly reduces the cost of entry for bad actors and greatly expands the attack surface.

Attackers can exploit this vulnerability in a chained attack fashion. This new approach, included in the artillery forwarder package, takes a ZIP-based approach to achieving full remote code execution. Attackers can start unusual outbound requests to arbitrary ZIP sources. Perhaps most concerning, they can write files into arbitrary directories on the filesystem, or even write to sensitive endpoints such as /reports/MetricsPublish.

Potential Consequences of Not Patching

The potential impacts of neglecting to update the Commvault system are catastrophic and widespread. Here’s a breakdown of what could happen:

• Deletion of Backup Data: Attackers could delete backup data, leading to the loss of critical information and making it difficult or impossible to restore systems and data.
• Corruption of Backup Data: A takeover of the Commvault system could result in the corruption of backup data, making it unusable and potentially leading to data loss or system downtime.
• Modification of Backup Data: Attackers could modify backup data, potentially leading to data inconsistencies or loss of data integrity.
• Exfiltration of Sensitive Data: A compromised system could allow attackers to access and exfiltrate sensitive data, such as confidential business information or personal data.
• Disruption of Backup and Restore Processes: A takeover of the Commvault system could disrupt backup and restore processes, leading to data loss or system downtime.

Immediate Actions: Patching and Mitigation

MetaBlock X urges all Commvault users to follow up as soon as possible to patch vulnerable systems and mitigate risk. Commvault has provided an available patch for versions 11.38.20 and newer. We urge users to check what version they are on and make any updates required to stay current immediately.

How to Check Your Commvault Version

Patching remains one of the most impactful means of security. Beyond that, you need to take proactive measures to detect and respond to potential threats. Here are some steps to take:

1. Log in to the CommCell console.
2. Navigate to the "CommCell Browser".
3. Expand "Client Computers".
4. Right-click on the specific client.
5. Select "Properties".
6. Click on the "Version" tab.
7. The Commvault version will be displayed.

Step-by-Step Patching Instructions

Setting up rules to help identify these IOCTs allows you to better detect and respond to potential security incidents in a more timely manner. These IOCs provide helpful intelligence on how systems may have been compromised. This effectiveness allows security teams to loop in accurate detections and take the most effective action, whether that’s swiftly containing and remediating the threat.

1. Run the install update job.
2. After the job completes, go to the CommCell console.
3. Right-click on the Media Agent server.
4. Select "Properties".
5. Click on the "Version" tab.
6. Verify that the updated version is installed.

Proactive Security Measures: Beyond Patching

Here are some common IOCs to look for in the context of the Commvault vulnerability:

• Look for Indicators of Compromise: Check for suspicious activity, such as unknown directories or files, especially in the F:\\Program Files\\Commvault\\ContentStore\\ directory.
• Monitor System Logs: Review system logs for any unusual requests or errors, particularly related to the deployWebpackage.do and webpackage.do endpoints.
• Refer to Commvault's Advisory>: Consult Commvault's published advisory for detailed guidance on identifying and mitigating the vulnerability.

Understanding Indicators of Compromise

Backup systems are integral components of an organization’s security posture. Whether it’s a ransomware attack, a massive data breach, the reputational and financial fallout can be monumental. Regular, rapid, and current backups can prevent an IT disaster from becoming a programmable calamity.

As the world around us continues to present new and complex cybersecurity threats, prioritizing a proactive approach to security is crucial. This involves real-time monitoring of networks, proactive security testing, and a cycle of threat identification followed by enhancement of security protocols.

• Unusual File Activity: Monitor for any unexpected file creation, modification, or deletion, especially in directories associated with Commvault components or temporary folders.
• Suspicious Network Connections: Investigate any unusual network connections originating from Commvault servers, particularly outbound connections to unfamiliar or suspicious IP addresses or domains.
• Anomalous Process Behavior: Look for processes that are consuming excessive resources, exhibiting unusual behavior, or running with elevated privileges without proper authorization.
• Log Anomalies: Review system and application logs for any suspicious entries, such as failed login attempts, error messages, or unexpected events related to Commvault services.
• Changes to System Configuration: Monitor for any unauthorized modifications to system configurations, such as changes to file permissions, registry entries, or service settings.

The Role of Backup Systems in Security

MetaBlock X’s central philosophy is one of user empowerment. We provide them with the knowledge and guidance to arm them with the tools they need to confidently navigate the digital asset future. By staying informed and taking proactive measures, organizations can protect themselves from the ever-growing threat of cyberattacks and data breaches.

Why Backup Systems are Essential for Security

• Data Recovery: Backup systems enable organizations to recover data that may have been lost, corrupted, or encrypted during a cyberattack.
• Business Continuity: By restoring systems and data from backups, organizations can quickly resume normal operations and minimize downtime.
• Compliance: Many regulatory frameworks require organizations to maintain adequate backup and recovery capabilities to protect sensitive data.
• Mitigating Ransomware: In the event of a ransomware attack, organizations can restore their systems from backups, avoiding the need to pay a ransom.

Staying Ahead of the Curve: Continuous Monitoring and Improvement

In the ever-evolving landscape of cybersecurity threats, it is essential to adopt a proactive approach to security. This includes continuous monitoring of systems, regular security assessments, and ongoing improvement of security measures.

Best Practices for Continuous Security Improvement

• Regular Security Audits: Conduct periodic security audits to identify vulnerabilities and weaknesses in the organization's security posture.
• Penetration Testing: Perform penetration testing to simulate real-world attacks and identify areas where security controls can be improved.
• Security Awareness Training: Provide regular security awareness training to employees to educate them about common threats and best practices for staying safe online.
• Incident Response Planning: Develop and maintain an incident response plan to guide the organization's response to security incidents.
• Threat Intelligence: Stay informed about the latest threats and vulnerabilities by monitoring threat intelligence sources and security advisories.

MetaBlock X is committed to providing users with the knowledge and tools they need to navigate the digital asset landscape with confidence and control. By staying informed and taking proactive measures, organizations can protect themselves from the ever-growing threat of cyberattacks and data breaches.

%%