Entire post:
Veeam Community Forums DigestDecember 11 - December 17, 2017
THE WORD FROM GOSTEV
vSphere users, note that VMware Tools 10.2.0 is now generally available, and there are two major new features that make it quite a significantly release – so much I decided to highlight one here. First, this release finally adds offline bundles VIB which can be deploying using vSphere Update Manager to vSphere 5.5 and later ESXi hosts. Woohoo! Second, it brings support for Microsoft System Center Configuration Manager (SCCM) for distributing and updating VMware Tools on your VMs. Which will also be appreciated by many! Here are the direct links to
Release Notes and the
actual bits for your convenience.
Release notes link:
https://docs.vmware.com/en/VMware-Tools ... notes.html
Actual tidbits link:
https://my.vmware.com/group/vmware/deta ... ductId=614
Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.
So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.
By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of
keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Keyloggers in OEM drivers link:
http://www.zdnet.com/article/keylogger- ... of-hp-pcs/
To those using Data Domain as a target for Veeam: according to DELL EMC, close to a thousand of your systems are still running DD OS 5.4 and 5.5. Please, schedule the upgrade in the next few months, as we're planning to end support for these DD OS versions in the next update. With the real reason being the DDBoost SDK required by the upcoming DD OS version supporting 5.6 and later only.
Did you know the biggest bubble in the human history was with tulips? I was fascinated reading the article, especially that snippet on how much goods you could get for a single bulb. Luckily, the humanity advanced so far in 500 years, and this sort of explainable craziness can never repeat... just kidding, actually I learnt about tulip mania while watching the video on the mother of all bubbles.