-
- Enthusiast
- Posts: 46
- Liked: 2 times
- Joined: Jul 06, 2012 8:28 pm
- Full Name: Tucker Sukraw
- Contact:
Saved Passwords in Veeam Vulnerable?
Hey Veeam,
Wanted to run this by the group for input.
Recently we had a ransomware attack.
To give you some background Veeam was on 9.5u3
Backups were going to a local NAS and had a copy job to a secondary NAS in another building.
Both NAS units were using shared folders CIFS with independent credentials not tied to AD.
In the ransomware attack the attacker gained access to the AD administrator account and remote access.
It appeared (We cannot absolutely confirm this) but it appeared the attacker was aware of Veeam and its role.
We suspect this for the following reasons.
1) Veeam was removed from the servers.
2) The NAS units had unique passwords on them that were only used in the Veeam setup. (saved in Veeam)
In the attack both NAS units were targeted and both units were compromised using the unique login credentials that were saved in Veeam. Which is where we think they were pulled from.
So my questions is, is there any way to safe guard passwords that are saved in Veeam?
Utilizing some powershell commands it is fairly easy to decipher all the saved passwords into plain text.
Wanted to run this by the group for input.
Recently we had a ransomware attack.
To give you some background Veeam was on 9.5u3
Backups were going to a local NAS and had a copy job to a secondary NAS in another building.
Both NAS units were using shared folders CIFS with independent credentials not tied to AD.
In the ransomware attack the attacker gained access to the AD administrator account and remote access.
It appeared (We cannot absolutely confirm this) but it appeared the attacker was aware of Veeam and its role.
We suspect this for the following reasons.
1) Veeam was removed from the servers.
2) The NAS units had unique passwords on them that were only used in the Veeam setup. (saved in Veeam)
In the attack both NAS units were targeted and both units were compromised using the unique login credentials that were saved in Veeam. Which is where we think they were pulled from.
So my questions is, is there any way to safe guard passwords that are saved in Veeam?
Utilizing some powershell commands it is fairly easy to decipher all the saved passwords into plain text.
Tucker Sukraw
Network Architect
West Central Technology
Network Architect
West Central Technology
-
- Product Manager
- Posts: 14763
- Liked: 3049 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Hello,
please find details about the used encryption standards here https://helpcenter.veeam.com/docs/backu ... ml?ver=100
We use Microsoft APIs. The passwords are stored in the SQL database and encrypted with the Windows machine key.
If an attacker has access directly to the Veeam server, then he can decrypt them as you already mention. This is true for every kind of software using passwords against external systems. It's nothing special. https://helpcenter.veeam.com/docs/backu ... ml?ver=100
Best regards,
Hannes
please find details about the used encryption standards here https://helpcenter.veeam.com/docs/backu ... ml?ver=100
We use Microsoft APIs. The passwords are stored in the SQL database and encrypted with the Windows machine key.
If an attacker has access directly to the Veeam server, then he can decrypt them as you already mention. This is true for every kind of software using passwords against external systems. It's nothing special. https://helpcenter.veeam.com/docs/backu ... ml?ver=100
Best regards,
Hannes
-
- Service Provider
- Posts: 469
- Liked: 119 times
- Joined: Apr 03, 2019 6:53 am
- Full Name: Karsten Meja
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
if the database is backuped with veeam and application-aware processing, are the passwords still encrypted in the backup?
-
- VP, Product Management
- Posts: 27337
- Liked: 2782 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Usage of AAIP settings does not affect how passwords are stored and handled. Not sure I understood your question about passwords in backups. If we are talking about other non-Veeam databases that are protected with Veeam, then you can use this option to protect your files.
-
- Service Provider
- Posts: 469
- Liked: 119 times
- Joined: Apr 03, 2019 6:53 am
- Full Name: Karsten Meja
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Hi Vitaliy,
the question is only about the VBR database and its stored credentials and if it is necessary to encrypt backup files or if it is encrypted by design and cannot be decrypted, even with with any sort of recovery operation from VBR. In my case the source and the destination servers are different maschines.
the question is only about the VBR database and its stored credentials and if it is necessary to encrypt backup files or if it is encrypted by design and cannot be decrypted, even with with any sort of recovery operation from VBR. In my case the source and the destination servers are different maschines.
-
- VP, Product Management
- Posts: 27337
- Liked: 2782 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Hey Karsten,
Well, VBR database is protected with a machine key as Hannes said and it is unrelated to backups. As for backups, then I can only say that you must encrypt them if you don't want data from these backups to be exposed and this really depends on how applications using these protected databases are interacting with them.
Thanks!
Well, VBR database is protected with a machine key as Hannes said and it is unrelated to backups. As for backups, then I can only say that you must encrypt them if you don't want data from these backups to be exposed and this really depends on how applications using these protected databases are interacting with them.
Thanks!
-
- Service Provider
- Posts: 469
- Liked: 119 times
- Joined: Apr 03, 2019 6:53 am
- Full Name: Karsten Meja
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
for a Veeam Cloud Connect server, is it better to backup encrypted configuration via Configuration Backup and do not aaip the SQL database?
-
- VP, Product Management
- Posts: 27337
- Liked: 2782 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
AAIP and configuration backup are two different things and they cannot be compared. Regardless of whether you do AAIP backup for SQL database or not, the result (data from the database) is the same; data is in the backup file, there is no difference in how it is stored.
If you're asking what the better way of protecting the Veeam database is, then configuration backup should be a way to go.
If you're asking what the better way of protecting the Veeam database is, then configuration backup should be a way to go.
-
- Product Manager
- Posts: 14763
- Liked: 3049 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
I think this answers the question?if it is necessary to encrypt backup files or if it is encrypted by design and cannot be decrypted, even with with any sort of recovery operation from VBR
-
- Enthusiast
- Posts: 38
- Liked: 1 time
- Joined: May 05, 2021 9:08 pm
- Full Name: Michel Houde
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Hi,
I think it would be nice to have the ability to suspend the NAS user accounts on a schedule. If Veeam is configured to use one user account for backing up and that account is disabled on the NAS outside the backup window then, even if an attacker have the password, he would not be able to access the NAS in question. The NAS would still be accessible with the administrator account which Veeam would be unaware of. That would be better than power on/off on a schedule.
Just an idea.
I think it would be nice to have the ability to suspend the NAS user accounts on a schedule. If Veeam is configured to use one user account for backing up and that account is disabled on the NAS outside the backup window then, even if an attacker have the password, he would not be able to access the NAS in question. The NAS would still be accessible with the administrator account which Veeam would be unaware of. That would be better than power on/off on a schedule.
Just an idea.
-
- Product Manager
- Posts: 14763
- Liked: 3049 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Saved Passwords in Veeam Vulnerable?
Hello,
you can do that already today. Just query the job status and disable the user on the NAS side.
Disabling on the VBR side has no impact on security. An attacker could just enable it again. Keep in mind that in many cases a human is taking over once an automated attack has found a good target (e.g. a backup server)
Best regards,
Hannes
you can do that already today. Just query the job status and disable the user on the NAS side.
Disabling on the VBR side has no impact on security. An attacker could just enable it again. Keep in mind that in many cases a human is taking over once an automated attack has found a good target (e.g. a backup server)
Best regards,
Hannes
Who is online
Users browsing this forum: Robert-xl, scottf99 and 137 guests