CDP Vs ransomware

[Ciso_2021]

Hi guys
I have a question .
If you are using CDP or replication and you got hit by ransomware. Are the replicated serves also infected?
If the ransomware hits the samba shares, will affect the veeam backup drive too ?
We are backing up to veeam and have veeam at a different subnet ( vlan ).

I am trying to understand this.
Your answered is appreciate it.

[Mildur]

Hi Julien

When ransomware encrypt your files in a vm, then this encrypted files will be replicated with CDP or a replication job. If you start the replica from a point after the attack, you will have an infected vm.

Same is valid for backups of this vm. After the ransomware event, your backups afterwards will contain encrypted files and every malicious software which was installed. You can leverage Secure Restore when you are doing a vm restore. This can help you to find infected files or malicious programs before restoring the infected vm back to production.

The target vsphere or hyperv node will be not infected by a running cdp or replication job. But the hacker have other methods to do damage on the hypervisor itself, if you don‘t have protected it accordingly.

The veeam server should be not reachable by a hacker. RDP, SMB and other remote access protocols are not needed. Only the veeam console ports for you to manage veeam. If the hacker gets access to the vbr server, he can do anything with the backups. The last line of defense would then be a hardened repo, capacity tier with object lock or an airgapped backup like tape or usb disk. A Cloud Connect Provider can also help you to have a protected copy of your backups.

If the ransomware hits the samba shares, will affect the veeam backup drive too ?

Yes, if your backup files are on this samba share, a hacker with access to the share can encrypt them or delete them.

[Ciso_2021]

Thank you for your answer.
We have only back and replication can we specified users to access the console ? Like limits who can access the console with limitation?

Thank you

[Mildur]

Your welcome.

Yes, you can do that with the Users & Role Setting

They can install the VBR Console on their computers and directly connect to the Veeam Server without RDP.

If your Veeam Server is your production domain, please remove the server and use it as a workgroup server. You can create local users for your helpdesk users. Use a least Privilege concept. Not everyone in your company needs access to the console.

Additionally, protect your veeam server with MFA.

You can get more information about hardening the backup infrastructure from the Best practice guide.


Solution.

[Ciso_2021]

This exactly what I am about to do.
The idea behind to use two veeam servers. But worried about if they will process the same job at the same time.

Can we install veeam console from veeam iso ?
A single server 2022 support MFA? Not sure if this possible.
I appreciate your ideas here

[Mildur]

The idea behind to use two veeam servers. But worried about if they will process the same job at the same time.

Two backup server doing backups of the same vms? Or one for backup, the other one for replicas? You can use job scheduler to workaround that, but that can be get really complicated. It should be kept simple to manage

I would first invest in a linux hardened repo or use capacity tier with object lock. The second vbr server will face the same security concern like the first one to have a better security of my backups.

Can we install veeam console from veeam iso ?

Yes. And I think, there was a standalone console installer package in the veeam download portal

A single server 2022 support MFA? Not sure if this possible.

You may use Cisco Duo as an MFA solution. But it only works for RDP. The veeam console doesn‘t support MFA.

[Ciso_2021]

i appreciate your answers.
i have downloaded the console from our console and install it for testing.
created a local user at a VEEAM and grand that user the right to be a viewer ( just to test the scenario).

the veeam error out when i launch it "failed to load license from backup service".

is this a misconfiguration ?

[Mildur]

Hi Julien

May I ask, how do you have downloaded the console from the console? Do you have copied an msi file from the backup server to the local machine and used that to install the console? If yes, then not all necessary components are installed.

Please try again with the iso (Installation Guide). Start the installer as you would to install the vbr server. On the setup splash screen, you will see the option to install the console.

Or use the provided link from my post earlier to download the installation package.

After you made sure, that the console was installed correctly, you can connect to the vbr server. Provide the fqdn or ip adress and the local user (HOSTNAME\USERName) to connect to the backup server

[soncscy]

Just to reiterate Fabian's already great write-up, don't rely on software only to protect against ransomware. If it can be connected to, it can be attacked.

https://bp.veeam.com/vbr/Security/

Take some time and give this a good read. I know Fabian linked it, It's maybe a bit "high level" but it's good and it is worth repeating how useful it is. Seriously read it a few times and ask questions if there are elements you aren't quite grasping well. (be honest; security isn't something you should let shyness/shame prevent you from grasping)

I read a LOT of materials my clients get from security firms, and so much of it is random check-lists to get you to buy some software without providing real security. The ideas/theories in this guide are pretty solid and likely you can do this with items you already have in your data center, it's just taking the time to design the process/enforce it.

[Ciso_2021]

@mildur i noticed it doesn't works over the VPN, it works only when i am on the same LAN.
i'll troubleshoot it later.
i apprecaite your support.

@sounscy thank you. ill have a look at your link

[Mildur]

Your welcome