Recognizing the threat to data backup and restore systems
Backing and restoring data is one of several adaptive controls organizations can use to deal with ransomware. Several industry leading backup solutions, including Veeam, Commvault, and Rubrik offer this capability. These solutions use several functions, including artificial intelligence and machine learning to protect against ransomware. Hackers recognize that an effective backup and restore platform will affect their ability to collect ransom from their data encryption attacks.
Conti’s Backup-Obliteration method
Conti’s attack against backup centered around finding and exploiting functionality within the admin console. Backup system provides victims of ransomware the ability to restore files once the attack has ended. Conti, upon executing dual ransomware attacks, focuses their threat vector around both data encryption and data exfiltration for extortion. Attacking backup systems similar to Veeam blocked the client’s ability to self-restore their files.
Using various attack methods, including pen testing various layers within their target network, Conti hacker teams attempt a variety of threat vectors, including account takeover of privileged administration or any corporate accounts that have admin level access to the backup platform. Conti teams would exfiltrate the backup files and implant their ransomware to prevent the client from using the recovery feature to restore their files. Conti’s dual attack vector by encrypting the system while exfiltrating the backup resulted in clients having to pay two ransom’s off the same attack. By executing both attacks, Conti hackers secured their ransom demands by eliminating the client’s ability to restore their data.
Anatomy of the attack
Conti group focused their resources around exploiting the Veeam backup and restore solutions. Conti focused their attack against the Veeam platform in several phases. Using a common hacker pen testing tool; Cobalt strike beacon, the hacker tools used this commonly accessible tool to find vulnerabilities within the Veeam platform. Once the Conti found several usable backdoor exploits, they leveraged another common industry tool; Atera. This tool is a common remote access tool used throughout the industry. Conti knew this tool would not draw any attention from most SecOps and NetOps teams if this item showed up on any asset reporting tool. The Conti used the Atera tool to gain access via the exploited backdoor discovered by the Cobalt strike beacon tool.
Once Conti established remote access into a client’s network, the hacker tool leveraged another common tool; Ngrok. A common pen tester tool used to expose server ports to the internet. This tool is critical for the ransomware malware to connect to the rogue command-and-control server.
The last step in the attack chain the Conti group executed included executing an account takeover of the Veeam administration account with privileged access to the backup and restore console. Once Conti executed the initial data encryption attack, teams began to exfiltrate the backup files using a command shell tool called Rclone. After transferring the backup files to their rogue storage sites, Conti deleted all the clients’ backup files, ensuring the restoration sequence would fail.
First step to protecting your backups from ransomware
Experts who analyzed the Veeam attack chain broke the anatomy into separate areas of consideration. Specifically, protecting the privileged account access to the console, the discovery of exploited code, and the ease of use of remote users to load common IT tools on a critical platform. In reviewing the initial attack vector, preventing access to the console from the rogue remote user should be the first highest priority.
Veeam supports multi-factor authentication to access their console. Clients can use the Time-based One-Time password authentication method. Veeam also connects into MFA (Multi-Factor Authentication) solutions with 2FA including Duo and Okta.
One of the historic areas required for protection of the Veeam console is the management and protection of the RDP connections into the platform. Remote admins will use RDP connections to access and perform actions on the host. During the review of the Veeam ransomware attack, Conti successfully connected to the console using a remote RDP connection.
Leveraging 3rd party secured remote access solutions supporting MFA 2FA
Airgap’s Secure Asset Access (SAA) solution was built to immediately close the authentication gap with legacy enterprise applications with a seamless MFA solution. Sitting behind a customer’s existing VPN solution, Airgap SAA provides legacy or private applications with a modern MFA authentication that exactly mirrors how users are granted access to existing SaaS and Cloud based applications. Integrating with the organization’s existing SSO service provider, security teams can extend the second layer of MFA authentication across all applications. Airgap provides this secured connection without the need to deploy a client agent on the endpoint. Airgap’s SAA platform also provides the ability to deliver a HTML secured front-end user experience to legacy OT and ICS systems connection via RDP.
Secure Access for Veeam Console
Functioning as a full reverse proxy, Veeam administrators will connect into the Airgap networks platform first. Airgap integrates into the client’s existing MFA and SSO platforms for authentication. Once the user clears authentication, Airgap’s SAA platform will place the user into a specific group with policy-based routes along with port and protocol restrictions. The Veeam console will be configured to receive secure remote access connections from the Airgap network’s proxy systems only. All other remote access requests will be blocked. Airgap provides a full front-end encrypted connection to the remote user while creating a separate backend encrypted to the Veeam platform. The remote users never connect directly to the Veeam host. Airgap network’s flexible SAA policies can provide the client with secure connections options for web, cloud, and legacy applications via RDP, SSH, and HTTPS connections.
About Airgap Networks
Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles.
Airgap’s comprehensive Zero Trust offerings form a formidable defense against the adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor allowed MFA users gain access to confined resources. Airgap’s Zero Trust Isolation™ solution ensures that all your assets–modern or legacy–are protected against lateral threat movement.
Based in Santa Clara, Calif., Airgap Networks delivers an Agentless Zero Trust Segmentation platform that rings fences at every endpoint and prevents ransomware propagation. Airgap’s unique and patented Ransomware Kill Switch™ is the most potent response against ransomware threats. And Airgap offers a scalable solution for remote access using Zero Trust principles. https://airgap.io