Veeam Blackcat credentials database

[majortom1981]

It was revealed yesterday that the blackcat ransomware has been updated to directly target veeam. It will go into the veeam database to steal any credentials stored there.

I have a couple of questions.

1. If the veeam server is taken off the domain and used off domain would this stop blackcat from getting access to the veeam server or can they still get into it ? Do I need to setup a software firewall on the veeam server blocking all connections from non backed up clients?

2. If they get the cloud connect credentials fro mthe server can they use them to encrypt the cloud connect backups?

[PetrM]

Hello and Welcome to Veeam R&D Forums!

In fact, any product can be hacked, it's not possible to close all potential "backdoors" even in theory.

1. It's difficult to say, we don't know how this ransomware spreads within an infrastructure. Basically, it's a reasonable idea to keep the Veeam B&R server out of domain: if the domain account is hijacked, the backup server won't be compromised. Also, you may have a look at this page of the best practices guide and our help center provides useful security considerations as well. Speaking about software firewall, I don't see any disadvantages if it does not affect our services, you may check the required ports to avoid connectivity issues.

2. I doubt that it's possible to encrypt already existing backups. In theory, an intruder can delete backups but we have insider protection feature that should be enabled by cloud provider. Anyway, one of the best protection methods against ransomware is the immutable repository.

Thanks!

[jvhilario]

Has Veeam already come up with mitigation for noberus ransomware which targets built in database?

https://www.theregister.com/2022/09/25/ ... _symantec/

Cheers!

John

[HannesK]

Hello,
and welcome to the forums.

With any kind of software that stores credentials (e.g. monitoring software, backup software etc.), there is no way to prevent that kind of attack (except preventing access to the machine).

This attack vector is documented in the security section of the user guide. It's just in the nature of any product that has to store credentials.

An attacker who gained high-privilege access to backup infrastructure servers can get credentials of user accounts and compromise other systems in your environment.

Attacking the database itself is no problem. The credentials are encrypted with the machine key of the backup server. The problem exists, if the attacker has admin access on the backup server. Then he can decrypt the credentials from the database, because he has access to the machine key. That method is widely documented in PowerShell scripts on the forums and the Internet.

To keep the discussion short: even if there would be some "magic" way to prevent that attack, the attacker with administrator privileges could always get the credentials directly from RAM on the backup server once the product needs to use them.

For Windows application aware processing (AAIP) credentials: V12 will bring gMSA support. That removes passwords for Windows AAIP in a domain.

Best regards,
Hannes

PS: I merged your question to one of the existing threads around that topic. According to the article, it looks like it's about the same ransomware

[Andreas Neufert]

Please allow me to add that it is important to store backups air-gapped or in a immutable way to prevent any hacker from deleting or tampering with this data.

Regarding credentials reading from Veeam or any other Backup/Software that need to store passwords. For this attack you need admin access to the Veeam Server (or to the other system that stores credentials), so something is already broken in the first place. The Veeam Server should be protected similar to your Active Directory Servers to not allow someone to gain access in the first place.

[dali@iae.nl]

I want to know how and what are possibilities for hackers to steal credentials from the Veeam Database.
I'll ask from Veeam to clarify how to interpreted these posts in the media.

An example of such a post (https://duo.com/decipher/attackers-depl ... te-tactics):
Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.

“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.

No data is 100% proof of hackers but are there any advisable additional protections needed.

[Mildur]

Hi Da Li

Please see the answers above from my colleagues.

Thanks
Fabian

[Andreas Neufert]

As well please see this statement: https://community.veeam.com/news-56/off ... -post-3386

[albertwt]

Thank you for the update and the solution provided Team

[AlexHeylin]

we have insider protection feature that should be enabled by cloud provider.

Hi,

As a VCSP we discussed this feature quite extensively and because proper operation relies on settings from both the SP and tenant side (and the tenant side can be changed by an attacker with access to the VBR server), the general view was that while this offers some protection it should not be relied upon. Proper immutable storage (tenant-local, tenant-cloud, or via VCSP) is far superior and in the case of VCSP provided immutable storage the settings are on the SP side so are protected from insider attack at the tenant.

The other setting which I urge people not to rely on is "eject USB drive after backup" because the drive can be easily remounted from the local machine.

[Gostev]

Indeed, to be fair this feature is from the previous life where there was not too many immutable storage options except tape