Comprehensive data protection for all workloads
Post Reply
tsukraw
Enthusiast
Posts: 46
Liked: 2 times
Joined: Jul 06, 2012 8:28 pm
Full Name: Tucker Sukraw
Contact:

Saved Passwords in Veeam Vulnerable?

Post by tsukraw »

Hey Veeam,

Wanted to run this by the group for input.
Recently we had a ransomware attack.
To give you some background Veeam was on 9.5u3
Backups were going to a local NAS and had a copy job to a secondary NAS in another building.
Both NAS units were using shared folders CIFS with independent credentials not tied to AD.

In the ransomware attack the attacker gained access to the AD administrator account and remote access.
It appeared (We cannot absolutely confirm this) but it appeared the attacker was aware of Veeam and its role.
We suspect this for the following reasons.
1) Veeam was removed from the servers.
2) The NAS units had unique passwords on them that were only used in the Veeam setup. (saved in Veeam)

In the attack both NAS units were targeted and both units were compromised using the unique login credentials that were saved in Veeam. Which is where we think they were pulled from.

So my questions is, is there any way to safe guard passwords that are saved in Veeam?
Utilizing some powershell commands it is fairly easy to decipher all the saved passwords into plain text.
Tucker Sukraw
Network Architect
West Central Technology
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by HannesK »

Hello,
please find details about the used encryption standards here https://helpcenter.veeam.com/docs/backu ... ml?ver=100

We use Microsoft APIs. The passwords are stored in the SQL database and encrypted with the Windows machine key.

If an attacker has access directly to the Veeam server, then he can decrypt them as you already mention. This is true for every kind of software using passwords against external systems. It's nothing special. https://helpcenter.veeam.com/docs/backu ... ml?ver=100

Best regards,
Hannes
karsten123
Service Provider
Posts: 350
Liked: 79 times
Joined: Apr 03, 2019 6:53 am
Full Name: Karsten Meja
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by karsten123 »

if the database is backuped with veeam and application-aware processing, are the passwords still encrypted in the backup?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by Vitaliy S. »

Usage of AAIP settings does not affect how passwords are stored and handled. Not sure I understood your question about passwords in backups. If we are talking about other non-Veeam databases that are protected with Veeam, then you can use this option to protect your files.
karsten123
Service Provider
Posts: 350
Liked: 79 times
Joined: Apr 03, 2019 6:53 am
Full Name: Karsten Meja
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by karsten123 »

Hi Vitaliy,
the question is only about the VBR database and its stored credentials and if it is necessary to encrypt backup files or if it is encrypted by design and cannot be decrypted, even with with any sort of recovery operation from VBR. In my case the source and the destination servers are different maschines.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by Vitaliy S. »

Hey Karsten,

Well, VBR database is protected with a machine key as Hannes said and it is unrelated to backups. As for backups, then I can only say that you must encrypt them if you don't want data from these backups to be exposed and this really depends on how applications using these protected databases are interacting with them.

Thanks!
karsten123
Service Provider
Posts: 350
Liked: 79 times
Joined: Apr 03, 2019 6:53 am
Full Name: Karsten Meja
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by karsten123 »

for a Veeam Cloud Connect server, is it better to backup encrypted configuration via Configuration Backup and do not aaip the SQL database?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by Vitaliy S. »

AAIP and configuration backup are two different things and they cannot be compared. Regardless of whether you do AAIP backup for SQL database or not, the result (data from the database) is the same; data is in the backup file, there is no difference in how it is stored.

If you're asking what the better way of protecting the Veeam database is, then configuration backup should be a way to go.
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by HannesK » 1 person likes this post

if it is necessary to encrypt backup files or if it is encrypted by design and cannot be decrypted, even with with any sort of recovery operation from VBR
I think this answers the question? :-)

Image
houdem
Enthusiast
Posts: 37
Liked: 1 time
Joined: May 05, 2021 9:08 pm
Full Name: Michel Houde
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by houdem »

Hi,

I think it would be nice to have the ability to suspend the NAS user accounts on a schedule. If Veeam is configured to use one user account for backing up and that account is disabled on the NAS outside the backup window then, even if an attacker have the password, he would not be able to access the NAS in question. The NAS would still be accessible with the administrator account which Veeam would be unaware of. That would be better than power on/off on a schedule.

Just an idea.
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Saved Passwords in Veeam Vulnerable?

Post by HannesK » 1 person likes this post

Hello,
you can do that already today. Just query the job status and disable the user on the NAS side.

Disabling on the VBR side has no impact on security. An attacker could just enable it again. Keep in mind that in many cases a human is taking over once an automated attack has found a good target (e.g. a backup server)

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: Link State and 283 guests