While navigating into the web, I found this interesting article published by Scottie Austin as red team hacker. In his article, he show how can be a disaster if a malicious user gain access to the VBR server because decrypting Veeam credentials can be done.
Based on Veeam documentation (https://helpcenter.veeam.com/docs/agentforwindows/configurator/encryption.html?ver=50), user credentials get encrypted before they’re stored into database and KB2327 (https://www.veeam.com/kb2327) says it’s used DPAPI crypto functions for encrypting and decrypting management data.
So, exporting DPAPI keys from the VBR servers where the attacker got access before on the first phase of the attack, breaking into SQL and then applying that reverse function using mimikatz or SharpDPAPI, the password can be decrypted in steps, from encrypted to HEX to ASCII.
This is an interesting example on why VBR servers must be protected from access, and how a malicious attacker can break that access.
Source with more content:
https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/
