The backup agent on every server was ALPHV's way in

Backup software gets discussed as a ransomware target because attackers want to destroy the backups before they encrypt. The Veritas Backup Exec trifecta is a reminder of the other half: the backup agent, the component installed on every server you back up, is itself an exposed attack surface. Three 2021 vulnerabilities in the Backup Exec Agent, CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, were used by an ALPHV/BlackCat ransomware affiliate (tracked by Mandiant as UNC4466) for initial access, turning the agent into a front door.

The trifecta

The three flaws sit in the Backup Exec Agent’s network communication (it listens on TCP 10000 by default):

• CVE-2021-27876 (arbitrary file access) via the agent’s command protocol.
• CVE-2021-27877 (improper authentication), allowing unauthorized access to the agent.
• CVE-2021-27878 (command execution), the payoff, arbitrary command execution.

Chained, they let an attacker who can reach the agent execute commands on the host. A Metasploit module exists, and Mandiant documented UNC4466 using internet-exposed Backup Exec installations as the initial-access vector for BlackCat deployments. CISA lists all three with the ransomware flag.

Two attack surfaces, not one

This pairs with the Veeam and R1Soft stories to complete the picture of why backup infrastructure is so dangerous:

• The backup server is the destruction target and credential trove (the Veeam/R1Soft angle).
• The backup agent is an exposed, often-privileged service running on every protected machine, which is the Veritas angle here. An agent reachable over the network, especially one exposed to the internet, is an entry point onto each host it runs on, multiplied across the fleet.

So backup infrastructure expands your attack surface in two directions at once: a high-value central server, and a privileged agent on everything. Both need defending, and the agent population is the one teams forget, because it’s “just the backup client.”

What to do

• Patch Backup Exec to a fixed version. These were fixed in 2021; an unpatched agent is a KEV-listed, ransomware-used RCE.
• Never expose the Backup Exec Agent (TCP 10000) to the internet. UNC4466 found internet-reachable agents. Confirm the agent port is firewalled to the backup server and management network only, never the WAN.
• Segment and least-privilege the backup fabric. Restrict which hosts can talk to the agents, and don’t run backup services with more privilege than required.
• Keep immutable/offline backups. As with the rest of the backup category, a recovery copy the attacker can’t reach is what preserves your options when backup infrastructure is compromised.
• Assume compromise on internet-exposed, unpatched agents, and hunt for the agent process spawning shells and the post-exploitation that precedes BlackCat.

The reframe is to count both halves of your backup infrastructure as attack surface. The server gets attention because losing it loses your recovery; the agent gets forgotten because it’s everywhere and feels trivial, which is exactly why ALPHV used it. Patch Backup Exec, keep its agent port off the internet, segment the backup fabric, and keep an offline copy. We track the backup-software entries, server and agent alike, because that whole tier is where ransomware decides whether you get to say no.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2021-27876 — 2021
• NVD CVE-2021-27878 — 2021
• Mandiant: UNC4466 targets Veritas Backup Exec for ALPHV/BlackCat ransomware — 2023
• Veritas security advisories (Backup Exec) — 2021