“There are two types of companies: those that have been hacked and those who don’t know they have been hacked,”
– John Chambers, CEO Cisco.
We are talking about cybercrime, a global industry bigger than illegal drug trafficking. That being said, you can be quite sure that your backup infrastructure will be under attack in the future if it’s not already.
The backup infrastructure is a primary target for attack because all relevant environment data is stored in that one single place. Second, if an attacker wants to destroy data, the backup environment is a good starting point because the backup server has access to pretty much every other important system, such as virtualization platform or storage systems.
It just takes a few PowerShell commands to destroy the virtual infrastructure, backups or even a company, as you can see in the following video.
To be clear, this fundamental issue is nothing specific to any piece of backup software — it applies to all backup solutions. With an agent-based solution, one would use a “delete all data” pre-script instead of deleting VMs. The first example provided focus on an external attacker, however what about attacks that come from the inside that could occur from an IT administrator of your company? One good example of this is the Dutch hosting provider, Verelox.
Protect the passwords
The Veeam Backup & Replication user guide provides a good introduction on how to secure the backup environment in a few simple ways:
- Restrict user access
- Ensure physical security
- Encrypt backup data
However, if your credentials are compromised, then the attacker owns your backup environment. This attacker now has the power to do massive harm to your IT infrastructure. A privileged attacker can now obtain the credentials of user accounts and compromise other systems. For example, the password of a storage system with Veeam snapshot integration could be used to delete all volumes and LUNs of these storage systems. Again, this is nothing Veeam specific, but it points to the extreme importance in guarding access to the infrastructure as well as its credentials.
One of the standard recommendations is to use strong passwords and protect them. With the Veeam Backup & Replication Application-Aware Image Processing, every VM administrator can find MsCacheV2 hashes of the Application-Aware Image Processing’s user in their VM. In today’s standards, the MsCacheV2 is considered to be a secure hash. Veeam Backup & Replication administrator should keep in mind that weak passwords can be cracked anyway. For example, Sagitta states to be able to brute-force more than 2,500,000 MsCacheV2 hashes per second on a standard x86 hardware. This is too slow to crack strong passwords, but might be good enough for weak passwords. There’s a really good blog written by 1e Software on how attackers use brute force to crack hashes by using modern day GPUs.
Note: MSCacheV2 is the hash type for domain accounts and NTLM is the hash type for local computer accounts.
It sounds obvious, but having strong passwords is worth nothing if an attacker knows them. Almost all Veeam components are Windows based. This means you can apply the Microsoft security guidelines for the Veeam environment itself, and there are many good sources from independent security researchers as well as Microsoft themselves.
One way to gain knowledge of passwords is network sniffing. Sniffing a switched Ethernet network has been an easy task for many years. Graphical and console sniffing tools are widely available as open source, free and commercial software. The following video shows how easy it is to sniff a HTTPS connection. Who has never clicked on “accept” on a certificate error?
Keep in mind that versions before 9.5 did not use HTTPS by default, as the example shows the Veeam ONE web interface. To secure older versions of Veeam ONE Reporter and Business View, please refer to the user guide.
Backup and vSphere security
Veeam Backup & Replication connects to the vCenter to manage the backup and restore activities of virtual machines. From a security point of view — and this is absolutely considered best practice — work with the least amount of privileges required. VMware vCenter offers granular permissions to allow backups (in contrast to Hyper-V clusters or Microsoft SCVMM) and restores.
Within Veeam Backup & Replication, the different backup modes — Network, Virtual Appliance, Direct Storage Access — each require different permissions. The required permissions (also valid with version 9.5) document contains a detailed description of which permissions are required to configure for each backup mode. A security relevant permission for the “Virtual Appliance” backup mode is that it requires the “remove disk” permission.
These security considerations can influence the choice of the backup mode. It is also possible to restrict specific backup servers (if you have multiple) to specific locations or objects in vCenter.
Improving IT security with organizational guidelines and awareness trainings, along with hardware and software, raises the bar for an external attacker. Organizations should not forget that many attacks on IT infrastructure systems today are based on social engineering or on-site physical attacks. An old, well-known weakness is attacks on “mifare classic” door access systems.
Those “mifare classic” access systems still exist in many facilities. The access keys can be easily copied in a few seconds with a smartphone. With access to the server-room, an attacker could easily steal tapes or even worse — steal the actual backup hardware, which brings us back to the beginning. Encrypt your backups!
Be aware that the backup infrastructure and its data are the most interesting targets for an attacker. Following the 3-2-1 Rule, air-gapped protection, separation of permissions and responsibilities, along with network segmentation, are all keys to success. Securing the backup environment is more than just setting a checkbox. A good starting point for Veeam users is the Veeam user guide and the best practice guide.