In the last word from Gotstev, he has written about ransomware story affecting a Veeam customer. No matter how similar these stories are to one another, someone can learn something new from each one, thus preventing the same disaster from happening to your environment. Especially with stories like this one, which deals with hackers who are trying to be helpful so to speak. These folks tend to explain to the victim how they got in once the ransom has been paid, without ever being asked to do so…
This attack has started from a Veeam backup server which was directly accessible from the Internet through RDP (Remote Desktop Protocol) with a common account name “backup” and an easy to guess password classic. This is how the hacker got in initially. Not only did the account in question have “Local Administrator” privilege on the backup server, but also on the domain itself. So this particular environment was completely lost right out of the gate. What is even worse, is that the Backup Server had saved connections to two more virtual environments belonging to the clients which this partner has been managing, obviously with admin credentials too.
The consequences are pretty obvious, the hacker sicked a good old encrypted boot ransomware on all three environments, taking them hostage. And the partner had truly no choice but to pay thousands of dollars in a ransom… But in the end, was provided the decryption keys along with the breach details, just because the hacker was trying to be nice. So, what can we all learn from this particular case?
3 important things to protect your Backup Server:
First, your backup servers should never ever be accessible from the Internet. Outbound connectivity from a backup server is usually not a problem and is often required unless you are willing to sacrifice functionality like product update check, license auto update, licensing usage reporting of Veeam service providers and such. However, there’s simply no good reason to allow inbound connectivity from the Internet to your backup servers period. If you want to be managing your backup server remotely from the Internet, you should be doing so through a jump box with Veeam Backup Console installed, and importantly without saving any credentials there, and obviously with different credentials to a backup server. Needless to say, the “no inbound connectivity” best practice still stands true even if you are a Managed Backup Service Provider (MSP) who do need to connect to backup servers installed in clients’ environments. Those backup servers should never allow inbound connections either, this is just waiting for the trouble to happen. Instead, as an MSP you should be using Veeam Backup Remote Access functionality, which is specially designed for this scenario. This functionality allows you to securely connect to your clients’ backup servers through the existing Cloud Connect tunnel that is an outbound connection from a backup server to your (Service Provider’s) environment.
Second, make sure the account used for RDP access does not have “Local Administrator” privileges on the jump box. There is simply no good reason for it to have such privileges, except if you want to help the hacker out. It easy is to fetch and decrypt passwords protected with the machine key from Veeam (or any other management software) if you can log in to the management server, and this is what jump box does solve. However, having “Local Administrator” privileges on the compromised jump box also allows a hacker to steal various LSA secrets, or even powerful domain credentials from some service account that you missed (or added later). Not to mention this also enables the installation of key loggers and advanced hacking tools, because having penetrated into your network perimeter, smart hackers always take time to collect additional information before executing the actual attack.
Third, never use saved credentials functionality for RDP or other remote console connections on your jump box because if your access account gets compromised, you don’t want the hacker to be able to immediately access other environments under some almighty credentials conveniently saved by you.
Need to deploy Veeam Agent for Windows Follow this guide!
Need to deploy Veeam B&R 9.5 Update 2 Follow this guide!
You can learn more about Veeam Backup & Replication v10 here.