What (else) can happen if an attacker gets administrative access to your backup?

  • 24 January 2023
  • 1 comment
  • 167 views

Userlevel 7
Badge +12
  • On the path to Greatness
  • 1274 comments

This has been a hot topic since some time: With administrative access to the VBR server, credentials stored in the configuration database can be decrypted.
That may sound critical at first, but one shouldn't forget the important detail 'administrative access'.

Veeam stores its credentials in an encrypted state using the Microsoft Data Protection API and a Machine key specific to the VBR server. This is a security standard and a safe way of storing passwords, while enabling the Veeam services to use those for authentication.
And just like the services, an administrator can access and decrypt the credentials.
This is no secret and Veeam has even published a KB article on how to recover credentials from the configuration database: https://www.veeam.com/kb4349
And again, please remember that this requires administrative access to the backup infrastructure.
In general an administrator or 'root' will always have the highest available permissions and therefore can do anything on a system.
This is the same for any other software which stores passwords; just think about a browser, Windows cached credentials or a password manager.

What else can an administrator do with a backup solution?

If you're now only afraid of bad guys stealing credentials from Veeam, then I would suggest to think a bit further.
Here's a short list of more or less critical tasks someone could execute on or with your backup software.

  • Delete all backups: This is quite obvious but should be mentioned
  • Export/steal data: also obvious that an administrator can access and therefore export anything from the backup
  • Delete/overwrite any production data: if a user can restore data, he can also overwrite existing data
  • extract passwords/hashes from file level backups: not going into detail here but as you can access any file of a VM, you could export or replace password stores
  • access Active Directory: anything stored in AD can be accessed from the backup. Did you know that you an extract passwords stored by LAPS?
  • accessing Emails: not only can one extract information from here. Why not request a password reset for a certain account and get the URL out of the backup?
  • run scripts on production systems: start/stop scripts can do just anything on a backed-up system, like creating a domain administrator in AD or starting malicious code

There are many more ways of exploiting a backup environment for bad purposes. So this list isn't complete, but should give you an idea what could be possible.
If you can think of any other nasty actions, then please leave them in the comments.

Conclusion

Your backup environment should be one of the best protected parts of your infrastructure.
An attack will very likely not start from inside your backup, but rather end there, when all other security measures have failed.
If an attacker gets access to your backups, he will cause damage, regardless of which data protection solution you have in place.
So make sure that you do anything possible to harden and secure your backups. And, as there's no 100% security, always plan for the worst case.

-->How can you prevent or mitigate certain actions?
-->Will your backup files survive if someone gets administrative access to them?


1 comment

Userlevel 7
Badge +20

Definitely some really bad things can happen if they gain access so Security should be top of mind and hardening the Veeam environment as well as no domain.

Comment