Interesting article but this assumes that access to the VBR has been compromised...

You’re correct, this article assumes access to windows disk files!

Or Maybe it could reproduce with the access of configuration backup and steal it from the repo with encryption key.

Or more simple, a domain joined VBR server where credentials of a domain admin got dumped and key files accessed via \\VBRserver\C$

There’s a ton of ways 

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

+1 for no add to domain religion.

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

• https://www.orbid365.be/10-tips-in-hardening-your-veeam-backup-server/

Very interesting article. 

+1 from me too

Or use a separate, dedicated “Backup” domain….

Just an FYI this link does not work any more.

Hello @Chris.Childerhose, I can access it. Here is it below

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

• https://www.orbid365.be/10-tips-in-hardening-your-veeam-backup-server/

Just an FYI this link does not work any more.

Hello @Chris.Childerhose, I can access it. Here is it below

 

Very weird now it is working.  

And this the root cause; anyone on a network with administrative access & unlimited time will eventually do something bad.

In fact you don't even need Mimikatz to decrypt the credentials, but this doesn't change the key point; the backup server needs special protection. Thanks for posting this @marcofabbri 

A secure computer is an off computer. cit  “2001” Kevin D. Mittnick 

Thanks for this post! It should really be common knowledge, that when a hacker is able to enter VBR server, he/she is able read every login in VBR database. Therefore keep your VBR server safe like Fort Knox!