Comprehensive data protection for all workloads
Post Reply
majortom1981
Lurker
Posts: 1
Liked: 1 time
Joined: Sep 18, 2018 6:57 pm
Contact:

Veeam Blackcat credentials database

Post by majortom1981 » 1 person likes this post

It was revealed yesterday that the blackcat ransomware has been updated to directly target veeam. It will go into the veeam database to steal any credentials stored there.

I have a couple of questions.

1. If the veeam server is taken off the domain and used off domain would this stop blackcat from getting access to the veeam server or can they still get into it ? Do I need to setup a software firewall on the veeam server blocking all connections from non backed up clients?

2. If they get the cloud connect credentials fro mthe server can they use them to encrypt the cloud connect backups?
PetrM
Veeam Software
Posts: 3996
Liked: 686 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Veeam Blackcat credentials database

Post by PetrM » 1 person likes this post

Hello and Welcome to Veeam R&D Forums!

In fact, any product can be hacked, it's not possible to close all potential "backdoors" even in theory.

1. It's difficult to say, we don't know how this ransomware spreads within an infrastructure. Basically, it's a reasonable idea to keep the Veeam B&R server out of domain: if the domain account is hijacked, the backup server won't be compromised. Also, you may have a look at this page of the best practices guide and our help center provides useful security considerations as well. Speaking about software firewall, I don't see any disadvantages if it does not affect our services, you may check the required ports to avoid connectivity issues.

2. I doubt that it's possible to encrypt already existing backups. In theory, an intruder can delete backups but we have insider protection feature that should be enabled by cloud provider. Anyway, one of the best protection methods against ransomware is the immutable repository.

Thanks!
jvhilario
Lurker
Posts: 1
Liked: 1 time
Joined: Sep 27, 2022 3:23 am
Full Name: John Hilario
Contact:

[MERGED] Noberus Ransomware

Post by jvhilario » 1 person likes this post

Has Veeam already come up with mitigation for noberus ransomware which targets built in database?

https://www.theregister.com/2022/09/25/ ... _symantec/

Cheers!

John
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam Blackcat credentials database

Post by HannesK »

Hello,
and welcome to the forums.

With any kind of software that stores credentials (e.g. monitoring software, backup software etc.), there is no way to prevent that kind of attack (except preventing access to the machine).

This attack vector is documented in the security section of the user guide. It's just in the nature of any product that has to store credentials.
user guide wrote:An attacker who gained high-privilege access to backup infrastructure servers can get credentials of user accounts and compromise other systems in your environment.
Attacking the database itself is no problem. The credentials are encrypted with the machine key of the backup server. The problem exists, if the attacker has admin access on the backup server. Then he can decrypt the credentials from the database, because he has access to the machine key. That method is widely documented in PowerShell scripts on the forums and the Internet.

To keep the discussion short: even if there would be some "magic" way to prevent that attack, the attacker with administrator privileges could always get the credentials directly from RAM on the backup server once the product needs to use them.

For Windows application aware processing (AAIP) credentials: V12 will bring gMSA support. That removes passwords for Windows AAIP in a domain.

Best regards,
Hannes

PS: I merged your question to one of the existing threads around that topic. According to the article, it looks like it's about the same ransomware
Andreas Neufert
VP, Product Management
Posts: 7321
Liked: 1567 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Veeam Blackcat credentials database

Post by Andreas Neufert »

Please allow me to add that it is important to store backups air-gapped or in a immutable way to prevent any hacker from deleting or tampering with this data.

Regarding credentials reading from Veeam or any other Backup/Software that need to store passwords. For this attack you need admin access to the Veeam Server (or to the other system that stores credentials), so something is already broken in the first place. The Veeam Server should be protected similar to your Active Directory Servers to not allow someone to gain access in the first place.
dali@iae.nl
Expert
Posts: 107
Liked: 28 times
Joined: Jan 17, 2022 10:31 am
Full Name: Da Li
Contact:

[MERGED] Stealing credentials from Veeam Database - please clarify

Post by dali@iae.nl »

I want to know how and what are possibilities for hackers to steal credentials from the Veeam Database.
I'll ask from Veeam to clarify how to interpreted these posts in the media.

An example of such a post (https://duo.com/decipher/attackers-depl ... te-tactics):
Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.

“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.


No data is 100% proof of hackers but are there any advisable additional protections needed.
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Blackcat credentials database

Post by Mildur » 1 person likes this post

Hi Da Li

Please see the answers above from my colleagues.

Thanks
Fabian
Product Management Analyst @ Veeam Software
Andreas Neufert
VP, Product Management
Posts: 7321
Liked: 1567 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Veeam Blackcat credentials database

Post by Andreas Neufert » 1 person likes this post

albertwt
Veteran
Posts: 965
Liked: 55 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Veeam Blackcat credentials database

Post by albertwt »

Thank you for the update and the solution provided Team :-)
--
/* Veeam software enthusiast user & supporter ! */
AlexHeylin
Veteran
Posts: 563
Liked: 174 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: Veeam Blackcat credentials database

Post by AlexHeylin » 1 person likes this post

PetrM wrote: Sep 23, 2022 8:20 pm we have insider protection feature that should be enabled by cloud provider.
Hi,

As a VCSP we discussed this feature quite extensively and because proper operation relies on settings from both the SP and tenant side (and the tenant side can be changed by an attacker with access to the VBR server), the general view was that while this offers some protection it should not be relied upon. Proper immutable storage (tenant-local, tenant-cloud, or via VCSP) is far superior and in the case of VCSP provided immutable storage the settings are on the SP side so are protected from insider attack at the tenant.

The other setting which I urge people not to rely on is "eject USB drive after backup" because the drive can be easily remounted from the local machine.
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Blackcat credentials database

Post by Gostev »

Indeed, to be fair this feature is from the previous life where there was not too many immutable storage options except tape :)
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot], Semrush [Bot] and 33 guests