Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 08 2020, @04:35PM   Printer-friendly
from the leverage dept.

Ransomware Attackers Use Your Cloud Backups Against You:

Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim's Veeam backup software.

This was not meant to expose the information to others for further attacks but was used as a warning to the victim that the ransomware operators had full access to their network, including the backups.

After seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn how they target victim's backups and was surprised by what I learned.

It should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than other software, but simply because it is one of the most popular enterprise backup products and was mentioned by the ransomware operators.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by edIII on Sunday March 08 2020, @08:38PM (4 children)

    by edIII (791) on Sunday March 08 2020, @08:38PM (#968280)

    Actually, cloud backups aren't the problem. I have a solution, that is technically, in the "cloud". Meaning, that the servers are in another data center, uses ZFS to distribute the data, and a but of virtual systems to load balance and handle all the connections. Local backups are not a great idea. Geographic distribution of data across large regional areas is what is required for businesses, and any serious backup projects. If you're determined that no business data travels across fiber, than copies of the backup media can be physically transferred instead. I have backups of my family data out of state for that reason.

    What's important though is zero knowledge backup. In this case, it's called End-to-End encryption and the cloud provider said it could be used with their enterprise products. If that's true, and attacker having a login to the account management should have zero access to the underlying data beyond reports. Those reports just list dates, bandwidth, total disk use etc. There is something else going on here not mentioned in the article. Publishing that user name and password shouldn't have resulted in access to the data without the encryption key.

    Used properly a cloud backup provider isn't at risk of disseminating any business data, to any one.

    The one I have has zero account management and no user login portal of any kind. Entirely run on local software instance that has the encryption keys, and all I transmit are encrypted data packets and my account ID. I get billed based on how much storage I take, which is directly related to how many backup copies I want, or how long I want to be able to recover from. All of my files are versioned for 30 days. What's useful about it is that the restore process can restore any file, at any point in time within that 30 day window. Makes recovery from ransomware pretty damn easy.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 5, Insightful) by maxwell demon on Sunday March 08 2020, @08:49PM (1 child)

    by maxwell demon (1608) on Sunday March 08 2020, @08:49PM (#968284) Journal

    Publishing that user name and password shouldn't have resulted in access to the data without the encryption key.

    Of course that doesn't protect you against the attacker simply deleting your backup. I also imagine that when having your credentials, the attacker could simply change the password, making not only the existing backups unavailable to you, but also preventing the creation of new backups at that service.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 3, Informative) by vux984 on Sunday March 08 2020, @11:57PM

      by vux984 (5045) on Sunday March 08 2020, @11:57PM (#968332)

      Of course that doesn't protect you against the attacker simply deleting your backup.

      Amazon S3, object locking; retention mode. Once an object is in a container with a locking policy. Nobody can delete or modify the object. Nobody can reduce the retention policy length, nobody can delete the container the data is in. And even if the root user account is, amazon apparently doesn't delete it for 90 days.

      I also imagine that when having your credentials, the attacker could simply change the password, making not only the existing backups unavailable to you, but also preventing the creation of new backups at that service.

      Multiple S3 accounts, in different regions, with different credentials, and different encryption keys, held by different people. All with 2FA.
      Also diversify off S3. I'm only aware of this object locking functionality on S3 which I think is a massive advantage, but others might have it or be adding it. But even a regular non-locked cloud backup on a 2ndary provider shields you from issues at Amazon, and your amazon account getting breached.

      As for having someone change the password and email and locking you out, I've addressed that by having multiple S3/storage accounts. But also, you can call these companies and sort that out -- you are a paying customer. These aren't free gmail accounts where if you forget the password and don't have the recovery phone number its just gone unless you start dating the right google executive.

      Veeam, by the way, since its mentioned supports this. I'm currently in process of setting this up myself, so if there are flaws in the plan, I'm beyond interested in hearing them. I just walked away from another product because it didn't support S3 object locking.

      Offline media, especially tapes, a massive PITA. I think its an appropriate technology for a larger site with full time IT and backup admins to rotate the media, monitor the hardware, test the backups, etc etc. But it's simply impractical for a small / medium business. Especially when the media rotation is inevitably going to fall on the receptionist or something.

  • (Score: 1) by fustakrakich on Monday March 09 2020, @02:13AM

    by fustakrakich (6150) on Monday March 09 2020, @02:13AM (#968384) Journal

    In this case, it's called End-to-End encryption and the cloud provider said it could be used with their enterprise products.

    The state does not want that. [theregister.co.uk]

    --
    La politica e i criminali sono la stessa cosa..
  • (Score: 0) by Anonymous Coward on Wednesday March 11 2020, @05:25AM

    by Anonymous Coward on Wednesday March 11 2020, @05:25AM (#969506)

    Cloud backups are a problem. They're online backups. You want an offline backup which can't be hacked, damaged by a data center failure, or at the whims of someone not falsely reporting your account in violation of the site's ToS thus getting you banned and all your data deleted. There's plenty of instances of people having their cloud data deleted. Even Google accidentally and randomly wipes out YouTube accounts and every Google account linked with that YouTube account. Your backups are only safe offline.