Is storing veeam backups on a purpose built linux based appliance considered air-gapped?

[kjstech]

Hello,

We store all of our veeam backups on an appliance called Exagrid. It's a linux based virtual appliance. I dont think that SMB is the mechanism for data transfer because its added in as a linux managed servers and an SSH credential is in there. The backup repositories are pointed to this linux server where the credential is tied.

My understanding is that ransomware seeks out and uses SMB to find files in windows / samba shares to read and encrypt files.

Is ransomware evolved enough to jump from Windows to Linux through veeam, recognize vbm, vbk and vib files and encrypt them as well?

If we were using an SMB based file repository I wouldn't question it, but there is a little bit of a translation going on here that I'm not sure if ransomware has evolved to figure out. If it can bypass these "separations" (also the veeam vm has a second nic in another network where the exagrid file shares are stored), then we have to rethink an air-gapped backup policy.

[Gostev]

Hello!

Definitely no. "Air-gapped" means "not reachable over the network" (disconnected and/or offline), which is clearly not the case here.

You are right, some years ago ransomware started from "seeks out and uses SMB to find files in windows / samba shares to read and encrypt files". This is because it was originally designed to go after regular end users, and collect a small ransom from a large number of affected computers.

This crime has evolved though. Serious hackers are going after serious targets these days: companies who have important data to lose and lots of money to pay. Most of the successful attacks we're seeing these days involve malware letting the hackers into the environment, who then obtains root privileges via zero day vulnerabilities or key loggers, analyze the environment's data protection strategy, and destroy all backups which are online (along with the encrypting production data).

As such, the fact that you're running a Linux repository does not make any difference. So long that it is online, hackers can logon into it and destroy all your backups.

The only alternative to air-gap is immutability: backups protected by native storage capabilities physically preventing them to be modified or deleted until the certain time. In case of immutable backups, it is not a problem for the backup storage to remain online and accessible over the network.

Thanks!

[soncscy]

To add some real world stories that I heard the end result of from my clients:

- Attacker got admin creds after successful phishing campaign in March. Attack happened in October and silently deleted all backups and encrypted VMs
- Attacker exploited several public facing web servers and got some admin logins. Due to password reuse, they got further into the environment and deleted all the VMs and held backups hostage (even with paying , the decryption was apparently done really shoddily and wrecked these backup files)
- Attacker was a pissy employee that was terminated as the budget was shrunk due to COVID. They just nuked everything with their admin creds

I'm not trying to scare you, but I can almost guarantee that there is no such thing as a fool-proof checklist except for backups that are physically disconnected from anything and offline, and even then, you have physical damage, bitrot, and malicious persons to worry about, muchless plain old human error†)

What I do mean to say is plot your threat vectors carefully and know your vulnerabilities. Redundant copies are a strategy for a reason.

† I've seen clients "dangle" USB drives from some racked server because "there wasn't a table close enough to rest it on", and it wrecked the chassis for the drive enclosure enough that there were inconsistent writes...really it's ridiculous what some people do in the name of laziness

[kjstech]

Wow that’s scary but also eye opening. I think the new version of Exagrid’s OS has an immutable backup option. You have to set it to a certain percentage of disk space I think. I’ll get more details from them. The other thing I thought of is to replicate it to another appliance and then when done log into the switch and shut down that network interface towards the appliance. That may not stop rogue admins but it should help add another complication for an attacker who doesn’t fully know your operation.

So it sounds like that the kind of ransomware that seeks out writable shares may not find the backups, but an actual attacker.. a real person behind the keyboard who has foothold in the environment through a reverse shell and then creates persistence. It sounds like human intervention is done here, so a little more effort... but heck it’s a lot easier than going to the bank with a gun. They can sit safe and sound in mommy and daddy’s basement for all they care.

Thanks for the eye opener.

[Gostev]

The other thing I thought of is to replicate it to another appliance and then when done log into the switch and shut down that network interface towards the appliance.

This is actually my own backup strategy at home

It started long ago from me getting irritated that my home NAS would wake up quite often for no apparent reason. And because it is about 10 years old now, I wasn't fancy of all these extra spin up/down cycles on its hard drives. So I placed the NAS right by the "main highway" of my flat, and took a habit to power it on only when actually needed to access data on it, then power it off whenever I pass by again. Meaning, it remains offline 98% of the time.

Nevertheless, this always worked well for backups of home computers with the Veeam Agent, as triggering backup automatically When backup target is connected was supported since its first version. The only issues were having very rare restore points, and backups running at a bad time (when PC and NAS were also used for something else). But the Backup Cache feature solved it completely, because with that I can run backups with my favorite At lock schedule, and then all those restore points are automatically uploaded to NAS whenever I feel like turning it on.