Preventing Ransomware Attacks Against Backup Systems
Recognizing the threat to data backup and restore systems
Backing up and restoring data is one of several adaptive controls that organizations can use to defend against ransomware. Infrastructure and operations leaders struggling to defend against ransomware attacks are facing the likelihood of increased attacks with malicious deletion, encryption and data exfiltration, arising from the Russian invasion of Ukraine. IT leaders need a strategy to protect backups and a well-rehearsed ransomware incident response plan for disaster recovery(DR) and business continuity(BC).
Ransomware targets backup data and infrastructure as well to further complicate planning for recovery. Cyberwarfare in response to the Russian invasion of Ukraine is all but certain to increase the frequency of ransomware attacks and make it difficult to protect their organizations from costly business disruptions.
Traditional DR relies mainly on data replication to warm- or hot-standby infrastructure, it fails comprehensively during a ransomware attack, because the encrypted data is faithfully replicated to the DR site. This approach generally takes far longer and is more complex to recover all data completely.
Modern backup infrastructure is not a ransomware-prevention solution; it’s the last line of defense in an overall cybersecurity strategy. To implement a secure and high-performance backup system and develop test procedures to recover from the attack, we need to
Conti’s Backup-Obliteration method
Conti’s attack against backup centered around finding and exploiting functionality within the admin console. Backup system provides victims of ransomware the ability to restore files once the attack has ended. Conti, upon executing dual ransomware attacks, focuses their threat vector on both data encryption and data exfiltration for extortion. Attacking backup systems like Veeam blocked the client’s ability to self-restore their files.
Using various attack methods, including pen testing various layers within their target network, Conti hacker teams attempt a variety of threat vectors, including account takeover of privileged administration or any corporate accounts that have admin level access to the backup platform. Conti teams would exfiltrate the backup files and implant their ransomware to prevent the client from using the recovery feature to restore their files. Conti’s dual attack vector by encrypting the system while exfiltrating the backup resulted in clients having to pay two ransoms off the same attack. By executing both attacks, Conti hackers secured their ransom demands by eliminating the client’s ability to restore their data.
Anatomy of the attack
Conti group focused their resources around exploiting the Veeam backup and restore solutions. Conti focused their attack against the Veeam platform in several phases. Using a common hacker pen-testing tool; Cobalt strike beacon, the hacker tools used this commonly accessible tool to find vulnerabilities within the Veeam platform. Once the Conti found several usable backdoor exploits, they leveraged another common industry tool; Atera. This tool is a common remote access tool used throughout the industry. Conti knew this tool would not draw any attention from most SecOps and NetOps teams if this item showed up on any asset reporting tool. The Conti used the Atera tool to gain access via the exploited backdoor discovered by the Cobalt strike beacon tool.
Once Conti established remote access into a client’s network, the hacker tool leveraged another common tool; Ngrok. A common pen tester tool is used to expose server ports to the internet. This tool is critical for the ransomware malware to connect to the rogue command-and-control server.
The last step in the attack chain the Conti group executed included executing an account takeover of the Veeam administration account with privileged access to the backup and restore console. Once Conti executed the initial data encryption attack, teams began to exfiltrate the backup files using a command shell tool called Rclone. After transferring the backup files to their rogue storage sites, Conti deleted all the clients’ backup files, ensuring the restoration sequence would fail.
The first step to protecting your backups from ransomware
According to Gartner, backup systems are becoming an attractive target for ransomware attacks for two reasons:
Compromising the backup system makes the follow-on ransomware more effective, because organizations can’t recover data.
Backup systems provide a “map” to where critical data is stored on the network, enabling more targeted attacks that are less likely to be discovered until it’s too late.
It’s important to ensure zero trust access to mission-critical applications and data in your ransomware defense playbook. Let’s use Veeam admin console access as an example. Experts who analyzed the Veeam attack chain broke the anatomy into separate areas of consideration. Specifically, protecting the privileged account access to the console, the discovery of exploited code, and the ease of use of remote users to load common IT tools on a critical platform. In reviewing the initial attack vector, preventing access to the console from the rogue remote user should be the first highest priority.
Veeam supports multi-factor authentication to access their console. Clients can use the Time-based one-time password (TOTP) authentication method. Veeam also connects to MFA solutions with 2FA including Duo and Okta.
One of the historic areas required for the protection of the Veeam console is the management and protection of the RDP connections into the platform. Remote admins will use RDP connections to access and perform actions on the host. During the review of the Veeam ransomware attack, Conti successfully connected to the console using a remote RDP connection.
Leveraging 3rd party secured remote access solutions supporting MFA 2FA
Airgap’s Secure Asset Access (SAA) solution was built to immediately close the authentication gap to empower a seamless MFA integration with legacy enterprise applications With or without VPN, Airgap SAA provides legacy applications with a modern MFA authentication that exactly mirrors how users are granted access to existing SaaS and Cloud-based applications. https://airgap.io/secure-asset-access/
Secure access into Veeam console access and security
Functioning as an isolation proxy, Veeam administrators will connect to the Airgap’s Secure Access Gateway and place the user into the authenticated group with policy-based routes along with port and protocol restrictions. Airgap provides a front-end encrypted connection to the remote user while creating a separate backend encrypted connection to the Veeam platform. The remote users never connect directly to the Veeam host. Airgap’s flexible SAA policies can provide the client with secure connection options for any pubTlic-facing private or legacy applications.
Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles.
Airgap’s comprehensive Zero Trust offerings form a formidable defense against adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor allowed (MFA) users gain access to confined resources. Airgap’s Zero Trust Isolation (ZTI) solution ensures that all your assets–modern or legacy–are protected against lateral threat movement.
Based in Santa Clara, Calif., Airgap Networks delivers an Agentless Zero Trust Segmentation platform that rings fences at every endpoint and prevents ransomware propagation. Airgap’s unique and patented Ransomware Kill Switch™ is the most potent response against ransomware threats. And Airgap offers a scalable solution for remote access using Zero Trust principles. https://airgap.io