theorectically attack: change encryption key months ago

[c.schulzejn]

I heard this story on an event hosted by Veaam, another parnter told me about it:

An attack got access to the backup infrastructure. The encryption key for the backups was changed. Nothing more. This went for a few months. Then the customer was contacted by the attacker. This is a hard hit, b/c air gapped and insider protection won't help here.

Is Veeam aware of this scenario?
What is Veeam doing to prevent this?
What can partners and customers do, to prevent this scenario? I know, that a new full backup is created when changing the encryption password - what's the best way to actively monitor this? Just seeing some performance impact b/c of the full backup is not enough.

I am fully aware, that IT should be protected and backups are the last line of defense. There are many other things you should have, e.g. MFA.

[Gostev]

This is one of the use cases for our password loss protection feature. When you pick an encryption password to use, there's an indication under the password selection control whether you have this feature enabled in your environment.

But in general, if you don't monitor access to your backup server or changes to its settings, there are just too many other attack angles to worry about this more scientific one. The recommended way is to use Veeam ONE, however in v10 you can also use backup server audit reports in the Enterprise Manager for "manual" monitoring.

[soncscy]

Hi Christoph,

This is actually a cool thought experiment for me...while I get what Gostev is saying, I think I personally would like some sort of backup method to detect this also.

I cobbled this together pretty quick and I think it'd work in PS with Send-MailMessage from the loop:

Code: Select all

$creds = Get-VBREncryptionKey
PS C:\Users\Administrator> foreach ($cred in $creds){
if((Get-Date) - ($cred.ModificationDateUTC) -lt "N"){
write-host "this is where your send-mailmessage code would go"
}
}

You'd set N equal to some low value I think (you should not expect that the encryption password should change without everyone in your team knowing), so even something like just a value of 2 should be able to tell you, right?

It's still guesswork, but should work!

I also found the method in one of the logs that reports it:
CManagePasswordsCommand
Encryption password [some uuid] has been changed

So I suppose something similar can just be done to parse the logs for this and you should be able to find the changes there and do similar reporting if found:

Code: Select all

Get-ChildItem C:\ProgramData\Veeam\Backup\ -Recurse | Select-String -Pattern "Encryption password .* has been changed"

At least, until there's another measure, I think one or both of these can help!