550K Veeam Backdoors: 17-Month Ransomware Binge Ends—Fortune 500 Forks the Bill

TL;DR

• Veeam Backup & Replication patched four critical RCE vulnerabilities (CVE-2026-21666, CVE-2025-21668, CVE-2027-21708) enabling privilege escalation and SSH theft
• Erlang OTP 28.4.1 patches critical SSH compression and HTTP request vulnerabilities
• SocksEscort Botnet Dismantled: 8,000 Infected Routers Seized Across 2,500 US Homes

💥 550K Veeam Backdoors Shut: 48-Hour Patch Ultimatum for Fortune 500

550k Veeam backdoors: 17-month ransomware happy-hour ends NOW—patch or perish! 🍻💥 Fortune 500’s “secure” backups were a free SSH key buffet. Akira & Fog gorged; you foot the ransom. Still running <12.3? Congrats, you’re the next special. US sysadmins—what’s your excuse for not hitting update in the next 48h?

For 17 months the Frag-Akira-Fog ransomware trinity treated Veeam Backup & Replication like a free, all-you-can-pwn buffet. Yesterday Veeam finally slapped on band-aids 12.3.2.4465 & 13.0.1.2067, closing four CVSS-≥-9.0 holes that let any "domain peon" morph into postgres god, swipe SSH keys, and carpet-bomb 82 % of the Fortune 500. Cue the world's slowest "oops."

How the hell did a backup box become a launchpad?

Simple: malformed auth tokens (CVE-2026-21666) and a laughable "Backup Viewer" role (CVE-2027-21708) handed attackers SYSTEM shells. PostgreSQL creds were basically Post-it-noted to the internet. No ASLR, no RBAC choke-chain, just 550 k sitting ducks worth one-quarter-trillion in market value.

Impact scorecard – choose your poison

• Downtime: 36 h average recovery × $8 k/h for midsize firm → $288 k of caffeine-soaked panic
• Ransom: median demand $2.3 M, paid 48 % of the time → CFOs still cry in the shower
• Compliance: regulators eyeing 4 % global revenue fines → GDPR roulette wheel spins
• Career: CISO résumés update automatically; severance becomes the new bonus

Corporate spin vs. realpolitik

Veeam press release: "We value security." Translation: "We value not being sued." Exploits circulated on open-source Git repos since Oct 2024; patching lag equals 519 days of free ransomware beta-testing. If corporations are people, this one forgot its seatbelt—then blamed the road.

Outlook – crystal ball, duct-tape edition

• 0–3 months: 60 % exploit noise drops; remaining 40 % = legacy servers someone "forgot" in a broom closet
• 3–12 months: crooks pivot to VMware cred-dump limbo; backup vendors start marketing "unbreakable" widgets (spoiler: still breakable)
• 12 months+: regulators mandate immutable, air-gapped saints; vendors merge like lonely penguins; IT budgets finally admit security isn't a DLC add-on

Yesterday's patch saves servers, not faces. Update before Friday beers, segment your network, MFA everything, and keep résumés polished—because the next "critical backup bug" shipping crate is already on the ocean.

💥 OTP 28.4.1 Kills 1029× SSH Bomb, Saves US Boxes

256 kB SSH packet → 255 MB RAM bomb! 💥 OTP 28.4.1 finally caps the 1029× zip-zilla. US servers were one ssh away from a fork-bomb migraine. Still on old httpc:request? Congrats, your app just volunteered for unpaid overtime. Patch or perish, cowboys.

Yesterday they gift-wrapped 28.4.1, a 4-MB Band-Aid for the 255-MB migraine they left in every SSH daemon on the planet. One zlib@openssh.com handshake and your little 256 kB love-note unpacked into a quarter-gig memory grenade—ratio 1,029:1, aka “compression’s middle-finger.” CPU sobs, RAM hemorrhages, attacker giggles.

How the fix actually works

They bolted a 1-MB ceiling on the inflater, cutting the blow-up to ≤4:1. Same bomb, now a party-popper. Meanwhile, inets HTTP got tired of choking on mangled Content-Length headers; the server now coughs once—exactly one retry—then boots the client instead of looping forever. Bonus: you must spell the new API httpc://request/4,5 or your code face-plants. Because spelling is security, kids.

Impacts

• Downtime cost: one decompression bomb = ~90 s of 100 % CPU → ~2,000 lost calls on a typical telecom node.
• Ops sweat: every US carrier now has 48 h to patch thousands of boxes or keep playing Russian roulette with memory.
• Dev sweat: grep your repo for httpc:request, sed in the extra slashes, pray the CI passes.

Timeline

• This weekend: panic deploys, coffee, curse tweets.
• Q2 2026: incident count drops to zero; 5–7 compatibility whine tickets linger.
• 2027: OTP 28.5 ships with the same limits baked in; nobody remembers why.

Telecom and IoT love Erlang for uptime; yesterday proved uptime has a sense of humor. Patch now or keep donating 255-MB chunks of your infrastructure to whoever owns a keyboard.

💸 8,000 Router Botnet Busted: $5.5 M Crypto Heist Ends in Global Raid

8,000 routers hijacked—your grandma’s Wi-Fi became a $5.5 M fraud freeway! 💸 Feds just yanked the plug, but 20k new victims still surf the sewer every week. Want cheaper patches or just pray your ISP isn’t next?

8 000 SOHO boxes—2 500 of them in U.S. living rooms—just got yanked off life-support after quietly renting out their arteries to crooks for six years. The FBI, Europol and a bunch of EU cyber-cops call it “Operation Lightning”; the rest of us call it “why the hell did Grandma’s Netgear just vanish from the web?”

How a $15 IP turned into a $5 M migraine

AVRecon slithered in through default admin/admin combos and firmware older than TikTok. Once rooted, each pwned router enrolled in SocksEscort’s criminal Airbnb: ~369 k IP addresses advertised since 2020, charging roughly fifteen bucks a month per exit node. Translation: your bandwidth, their profit, zero vacuuming on your part—except the dirt left on your credit report.

Impacts—because numbers hit harder than swear jars

• Crypto heist: $1 M siphoned from a NY exchange, 700 k from a PA factory, 100 k on military STAR cards → $3.5 M in frozen coins now sits in fed limbo.
• Human scale: 20 k victims a week had their logins, shopping carts and OnlyFans sessions piped through someone’s dusty D-Link—enough traffic to fill a 24-hour Zoom call for every resident of Fairbanks, Alaska.
• Geopol shrug: 60 % of the exit nodes were in the U.S. & U.K., making “Five Eyes” traffic look local while it was actually laundered in Budapest.

What worked, what sucked

Strength: 34 domains and 23 C2 servers seized in one calendar day—fastest botnet vasectomy on record.
Weakness: 1 200 router models still await user-initiated patches; ISPs can’t push firmware Grandma never clicks.
Threat: KadNap and copy-cat code already sniffing for the next ASUS with 2018 firmware.
Opportunity: mandatory signed updates, automatic revocation, and a legal kick in the rear for vendors who still ship “admin/admin”.

Timelines—mark your pessimism calendar

• 0–3 months: expect 30 % of the frozen crypto to boomerang back to victims; the rest will lawyer-up longer than a Fyre Festival refund.
• 3–12 months: if patching hits 80 % adoption, large proxy botnets become economically lame; criminals pivot to IoT light bulbs and smart kettles.
• 1–3 years: once routers grow auto-update spines, expect mobile and satellite endpoints to replace them—because crime, like rust, never sleeps.

Your router was never “just a box in the corner”; it was a $15-a-month side hustle for hoods. Patch it, harden it, or next Friday the 13th the joke will be on you—again.

In Other News

• TriZetto Provider Solutions data breach exposes 3.4 million individuals' health data, triggering 12-month identity protection via Kroll
• Avast launches Agent Detection & Response (ADR) Layer to block malicious AI agent tool calls