Preventing Ransomware Attacks On Backup and Recovery Systems
Recognizing the Threat to Backup and Recovery Systems
Backup and restoring data is one of several adaptive controls organizations can use to deal with ransomware. Leading backup solutions including Veeam, Commvault, and Rubrik offer this capability by automatically restoring clients' files after the ransomware threat ends. Hackers recognize that an effective backup and restore platform will affect their ability to collect ransom from their data encryption attacks.
Conti’s Backup-Obliteration method
Conti’s attack against backup and recovery systems center around controlling and exploiting the functionality within the admin console. Conti hackers executed a dual ransomware attack, focusing their strategy on both data encryption and data exfiltration of client files for extortion. Attacking backup systems like Veeam blocked the client’s ability to self-restore their files.?
Using various attack methods, including pen testing, Conti hacker teams attempt a variety of threat vectors including account takeover of privileged administration or any corporate accounts that have admin-level access to the backup platform. Conti teams would exfiltrate the backup console to access the files and implant their ransomware to prevent the client from using the recovery feature to restore their files. Conti’s dual attack vector included encrypting the system while exfiltrating the backup. This resulted in clients having to pay two ransoms off the same attack. By executing both attacks, Conti hackers secured their ransom demands by eliminating the client’s ability to restore their data.?
Anatomy of the attack?
Conti focused their attack against the Veeam platform in several phases. Using a common hacker pen-testing tool; Cobalt strike beacon, the hacker tools used this commonly accessible tool to find vulnerabilities within the Veeam platform. Once the Conti found several usable backdoor exploits, they leveraged another common industry tool; Atera. This tool is a common remote access tool used throughout the industry. Conti knew this tool would not draw any attention from most SecOps and NetOps teams if this item showed up on any asset reporting tool. The Conti group used the Atera tool to gain access via the exploited backdoor discovered by the Cobalt strike beacon tool.
Once Conti established remote access into a client’s network, the hacker team leveraged another common tool; Ngrok. A common pen tester tool is used to expose server ports to the internet. This tool is critical for the propagation of ransomware malware by connecting to the rogue command-and-control server over the Internet connection.
In the last step in the attack chain, the Conti group executed an account takeover of the Veeam administration account with privileged access to the console. Once Conti executed the initial data file encryption attack, their teams began to exfiltrate the backup files using a command shell tool called Rclone. After transferring the backup files to their rogue storage sites, Conti deleted all the clients’ backup files, ensuring the restoration sequence would fail.
The first step to protecting your backups from Ransomware
Experts who analyzed the Veeam attack chain broke down the anatomy of the attack into separate areas of immediate remediation. Specifically, the key area the experts recommended is to prevent access to the console from the rogue remote user should be the first highest priority.
One of the historic challenges for the protection of the Veeam console is the management and protection of the RDP connections into the console platform. Remote admins will use RDP connections to access and perform actions on the administration console. During the review of the Veeam ransomware attack, Conti successfully connected to the console using a remote RDP connection.??
领英推荐
Leveraging 3rd party secured remote access solutions supporting MFA
Airgap’s Secure Asset Access (SAA) solution is built to enable user connection as an isolation connection proxy for all remote access with or without VPNs.?Airgap SAA enables:
The value of Airgap SAA solution for Veeam console access and security.
Functioning as an isolation proxy, remote Veeam administrators will connect to the Airgap SAA first. Once the user clears MFA and SSO authentication, Airgap’s SAA platform will place the user into a specific group with policy-based routes along with port and protocol restrictions. The remote users will be proxied; no direct connections to the destination host or device will be permitted.
The Veeam console will be configured to receive secure remote access connections from the Airgap’s isolation proxy systems only. All other remote or internal access requests will be blocked. Airgap network’s flexible SAA policies can provide the client with secure connections options for web, cloud, private applications, and legacy non-web-based devices.
About Airgap?
Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles.
Airgap’s comprehensive Zero Trust offerings form a formidable defense against adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor allowed (MFA) users gain access to confined resources. Airgap’s Zero Trust Isolation (ZTI) solution ensures that all your assets–modern or legacy–are protected against lateral threat movement.?
Based in Santa Clara, Calif., Airgap Networks delivers an Agentless Zero Trust Segmentation platform that rings fences at every endpoint and prevents ransomware propagation. Airgap’s unique and patented Ransomware Kill Switch? is the most potent response against ransomware threats. And Airgap offers a scalable solution for remote access using Zero Trust principles. https://airgap.io