Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Ransomware Attackers Use Your Cloud Backups Against You

posted by Fnord666 on Sunday March 08 2020, @04:35PM   Printer-friendly
from the leverage dept.

upstart writes in with an IRC submission for SoyCow4275:

Ransomware Attackers Use Your Cloud Backups Against You:

Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim's Veeam backup software.

This was not meant to expose the information to others for further attacks but was used as a warning to the victim that the ransomware operators had full access to their network, including the backups.

After seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn how they target victim's backups and was surprised by what I learned.

It should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than other software, but simply because it is one of the most popular enterprise backup products and was mentioned by the ransomware operators.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ransomware Attackers Use Your Cloud Backups Against You | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by maxwell demon on Sunday March 08 2020, @08:49PM (1 child)

    by maxwell demon (1608) on Sunday March 08 2020, @08:49PM (#968284) Journal

    Publishing that user name and password shouldn't have resulted in access to the data without the encryption key.

    Of course that doesn't protect you against the attacker simply deleting your backup. I also imagine that when having your credentials, the attacker could simply change the password, making not only the existing backups unavailable to you, but also preventing the creation of new backups at that service.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=3, Interesting=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 3, Informative) by vux984 on Sunday March 08 2020, @11:57PM

    by vux984 (5045) on Sunday March 08 2020, @11:57PM (#968332)

    Of course that doesn't protect you against the attacker simply deleting your backup.

    Amazon S3, object locking; retention mode. Once an object is in a container with a locking policy. Nobody can delete or modify the object. Nobody can reduce the retention policy length, nobody can delete the container the data is in. And even if the root user account is, amazon apparently doesn't delete it for 90 days.

    I also imagine that when having your credentials, the attacker could simply change the password, making not only the existing backups unavailable to you, but also preventing the creation of new backups at that service.

    Multiple S3 accounts, in different regions, with different credentials, and different encryption keys, held by different people. All with 2FA.
    Also diversify off S3. I'm only aware of this object locking functionality on S3 which I think is a massive advantage, but others might have it or be adding it. But even a regular non-locked cloud backup on a 2ndary provider shields you from issues at Amazon, and your amazon account getting breached.

    As for having someone change the password and email and locking you out, I've addressed that by having multiple S3/storage accounts. But also, you can call these companies and sort that out -- you are a paying customer. These aren't free gmail accounts where if you forget the password and don't have the recovery phone number its just gone unless you start dating the right google executive.

    Veeam, by the way, since its mentioned supports this. I'm currently in process of setting this up myself, so if there are flaws in the plan, I'm beyond interested in hearing them. I just walked away from another product because it didn't support S3 object locking.

    Offline media, especially tapes, a massive PITA. I think its an appropriate technology for a larger site with full time IT and backup admins to rotate the media, monitor the hardware, test the backups, etc etc. But it's simply impractical for a small / medium business. Especially when the media rotation is inevitably going to fall on the receptionist or something.