Before continuing, if you haven't already done so, I invite you to read the topic and patch.
Source of this topic, and where you can find more and more and even the POC:
https://www.huntress.com/blog/veeam-backup-replication-cve-2023-27532-response
They’re truly amazing in cybersecurity.
And now let’s talk about catch some indicators of compromise.
Despite the absence of any child processes resulting from the exploit, records are produced and stored in the directory
C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log
However, the default logging configuration does not capture API calls. To detect attack techniques in the Svc.VeeamBackup.log, one must manually modify the log level as it is not configured by default. The Windows registry value
HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel
is preset to a DWORD value of 4, which does not log API calls. To monitor API calls, the value must be adjusted to 7.
It their article, they do the POC and the results of that compromise is showed as in this logging code section:
https://gist.github.com/JohnHammond/bab3faa472ab5c241a52cfe8f55d4cc7#file-veeam_poc_logs-txt
The Veeam knowledge base advisory states that the credentials are encrypted, but not returned in plaintext by the database manager. Instead, encrypted values and account UUIDs are provided. With the account identifiers, API calls can be executed to decrypt the credentials into a Base64 encoding of the original value.
Again. Patch right now.
Here’s direct link to KB and patches for v11 ad V12: https://www.veeam.com/kb4424
