- 
				majortom1981
- Lurker
- Posts: 1
- Liked: 1 time
- Joined: Sep 18, 2018 6:57 pm
- Contact:
Veeam Blackcat credentials database
It was revealed yesterday that the blackcat ransomware has been updated to directly target veeam. It will go into the veeam database to steal any credentials stored there. 
I have a couple of questions.
1. If the veeam server is taken off the domain and used off domain would this stop blackcat from getting access to the veeam server or can they still get into it ? Do I need to setup a software firewall on the veeam server blocking all connections from non backed up clients?
2. If they get the cloud connect credentials fro mthe server can they use them to encrypt the cloud connect backups?
			
			
									
						
										
						I have a couple of questions.
1. If the veeam server is taken off the domain and used off domain would this stop blackcat from getting access to the veeam server or can they still get into it ? Do I need to setup a software firewall on the veeam server blocking all connections from non backed up clients?
2. If they get the cloud connect credentials fro mthe server can they use them to encrypt the cloud connect backups?
- 
				PetrM
- Veeam Software
- Posts: 3996
- Liked: 686 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Veeam Blackcat credentials database
Hello and Welcome to Veeam R&D Forums!
In fact, any product can be hacked, it's not possible to close all potential "backdoors" even in theory.
1. It's difficult to say, we don't know how this ransomware spreads within an infrastructure. Basically, it's a reasonable idea to keep the Veeam B&R server out of domain: if the domain account is hijacked, the backup server won't be compromised. Also, you may have a look at this page of the best practices guide and our help center provides useful security considerations as well. Speaking about software firewall, I don't see any disadvantages if it does not affect our services, you may check the required ports to avoid connectivity issues.
2. I doubt that it's possible to encrypt already existing backups. In theory, an intruder can delete backups but we have insider protection feature that should be enabled by cloud provider. Anyway, one of the best protection methods against ransomware is the immutable repository.
Thanks!
			
			
									
						
										
						In fact, any product can be hacked, it's not possible to close all potential "backdoors" even in theory.
1. It's difficult to say, we don't know how this ransomware spreads within an infrastructure. Basically, it's a reasonable idea to keep the Veeam B&R server out of domain: if the domain account is hijacked, the backup server won't be compromised. Also, you may have a look at this page of the best practices guide and our help center provides useful security considerations as well. Speaking about software firewall, I don't see any disadvantages if it does not affect our services, you may check the required ports to avoid connectivity issues.
2. I doubt that it's possible to encrypt already existing backups. In theory, an intruder can delete backups but we have insider protection feature that should be enabled by cloud provider. Anyway, one of the best protection methods against ransomware is the immutable repository.
Thanks!
- 
				jvhilario
- Lurker
- Posts: 1
- Liked: 1 time
- Joined: Sep 27, 2022 3:23 am
- Full Name: John Hilario
- Contact:
[MERGED] Noberus Ransomware
Has Veeam already come up with mitigation for noberus ransomware which targets built in database?
https://www.theregister.com/2022/09/25/ ... _symantec/
Cheers!
John
			
			
									
						
										
						https://www.theregister.com/2022/09/25/ ... _symantec/
Cheers!
John
- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam Blackcat credentials database
Hello,
and welcome to the forums.
With any kind of software that stores credentials (e.g. monitoring software, backup software etc.), there is no way to prevent that kind of attack (except preventing access to the machine).
This attack vector is documented in the security section of the user guide. It's just in the nature of any product that has to store credentials.
To keep the discussion short: even if there would be some "magic" way to prevent that attack, the attacker with administrator privileges could always get the credentials directly from RAM on the backup server once the product needs to use them.
For Windows application aware processing (AAIP) credentials: V12 will bring gMSA support. That removes passwords for Windows AAIP in a domain.
Best regards,
Hannes
PS: I merged your question to one of the existing threads around that topic. According to the article, it looks like it's about the same ransomware
			
			
									
						
										
						and welcome to the forums.
With any kind of software that stores credentials (e.g. monitoring software, backup software etc.), there is no way to prevent that kind of attack (except preventing access to the machine).
This attack vector is documented in the security section of the user guide. It's just in the nature of any product that has to store credentials.
Attacking the database itself is no problem. The credentials are encrypted with the machine key of the backup server. The problem exists, if the attacker has admin access on the backup server. Then he can decrypt the credentials from the database, because he has access to the machine key. That method is widely documented in PowerShell scripts on the forums and the Internet.user guide wrote:An attacker who gained high-privilege access to backup infrastructure servers can get credentials of user accounts and compromise other systems in your environment.
To keep the discussion short: even if there would be some "magic" way to prevent that attack, the attacker with administrator privileges could always get the credentials directly from RAM on the backup server once the product needs to use them.
For Windows application aware processing (AAIP) credentials: V12 will bring gMSA support. That removes passwords for Windows AAIP in a domain.
Best regards,
Hannes
PS: I merged your question to one of the existing threads around that topic. According to the article, it looks like it's about the same ransomware
- 
				Andreas Neufert
- VP, Product Management
- Posts: 7321
- Liked: 1567 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Veeam Blackcat credentials database
Please allow me to add that it is important to store backups air-gapped or in a immutable way to prevent any hacker from deleting or tampering with this data.
Regarding credentials reading from Veeam or any other Backup/Software that need to store passwords. For this attack you need admin access to the Veeam Server (or to the other system that stores credentials), so something is already broken in the first place. The Veeam Server should be protected similar to your Active Directory Servers to not allow someone to gain access in the first place.
			
			
									
						
										
						Regarding credentials reading from Veeam or any other Backup/Software that need to store passwords. For this attack you need admin access to the Veeam Server (or to the other system that stores credentials), so something is already broken in the first place. The Veeam Server should be protected similar to your Active Directory Servers to not allow someone to gain access in the first place.
- 
				dali@iae.nl
- Expert
- Posts: 107
- Liked: 28 times
- Joined: Jan 17, 2022 10:31 am
- Full Name: Da Li
- Contact:
[MERGED] Stealing credentials from Veeam Database - please clarify
I want to know how and what are possibilities for hackers to steal credentials from the Veeam Database. 
I'll ask from Veeam to clarify how to interpreted these posts in the media.
An example of such a post (https://duo.com/decipher/attackers-depl ... te-tactics):
Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.
“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.
No data is 100% proof of hackers but are there any advisable additional protections needed.
			
			
									
						
										
						I'll ask from Veeam to clarify how to interpreted these posts in the media.
An example of such a post (https://duo.com/decipher/attackers-depl ... te-tactics):
Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.
“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.
No data is 100% proof of hackers but are there any advisable additional protections needed.
- 
				Mildur
- Product Manager
- Posts: 10984
- Liked: 3016 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Blackcat credentials database
Hi Da Li
Please see the answers above from my colleagues.
Thanks
Fabian
			
			
									
						
							Please see the answers above from my colleagues.
Thanks
Fabian
Product Management Analyst @ Veeam Software
			
						- 
				Andreas Neufert
- VP, Product Management
- Posts: 7321
- Liked: 1567 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Veeam Blackcat credentials database
As well please see this statement: https://community.veeam.com/news-56/off ... -post-3386
			
			
									
						
										
						- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Re: Veeam Blackcat credentials database
Thank you for the update and the solution provided Team 
			
			
									
						
							
--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
- 
				AlexHeylin
- Veteran
- Posts: 563
- Liked: 174 times
- Joined: Nov 15, 2019 4:09 pm
- Full Name: Alex Heylin
- Contact:
Re: Veeam Blackcat credentials database
Hi,PetrM wrote: ↑Sep 23, 2022 8:20 pm we have insider protection feature that should be enabled by cloud provider.
As a VCSP we discussed this feature quite extensively and because proper operation relies on settings from both the SP and tenant side (and the tenant side can be changed by an attacker with access to the VBR server), the general view was that while this offers some protection it should not be relied upon. Proper immutable storage (tenant-local, tenant-cloud, or via VCSP) is far superior and in the case of VCSP provided immutable storage the settings are on the SP side so are protected from insider attack at the tenant.
The other setting which I urge people not to rely on is "eject USB drive after backup" because the drive can be easily remounted from the local machine.
- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7971 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Blackcat credentials database
Indeed, to be fair this feature is from the previous life where there was not too many immutable storage options except tape 
			
			
									
						
										
						
Who is online
Users browsing this forum: Bing [Bot] and 72 guests