June 04, 2024

Is Software-based Backup Leaving Your Clients’ Data at Risk?

By Adam Marget
Patch ManagementDatto RMM

As an MSP, you stake your business and reputation on delivering consistent, reliable and effective services to keep your clients operational. Data is one of your clients’ most valuable assets, and it’s under constant attack. As cybercriminals shift their focus from enterprises to targeting SMBs, the ever-increasing frequency, sophistication and damage wrought by modern attacks, like ransomware, highlights the crucial role of a resilient business continuity and disaster recovery (BCDR) solution.

Proven, secure BCDR is essential in today’s 24/7 digital economy to facilitate swift response to a cyberattack and mitigate the damage it causes. Your backups serve as your clients’ last line of defense and, as such, are often the first target of malicious actors. If you’re relying on a software-based backup solution, your clients’ data may be at risk.

Ransomware and other criminal actors leverage four primary attack vectors to target backup software:

  1. Active Directory attack
  2. Virtual Host Takeover
  3. Windows-based software attacks
  4. High-scoring Common Vulnerabilities and Exposures (CVEs)

Active Directory attack

For many (if not all) of your customers, Active Directory (AD) is mission-critical. AD provides identity and access management for users to log in to IT systems, acting as a gateway to their corporate network. As such, AD attacks make for a powerful extortion technique, since without it, all operations and productivity grind to a halt.

Many organizations may opt to integrate their backup software with AD to streamline management by leveraging existing user accounts, group memberships and organizational structures. AD can also be used to automate user authentication and access control, making it easy for techs to use AD permissions to control who has access to the software and underlying infrastructure.

In the event of an attack against such a configuration, Active Directory becomes a single point of failure for both production and backup. Ransomware doesn’t encrypt the Active Directory itself but uses it to access and encrypt connected hosts and domain-joined systems, including the backup software. Alternatively, the creation or escalation of stolen credentials provides malicious actors direct access to the backup software. Testing of notorious ransomware variants, such as WannaCry, TeslaCrypt and Jigsaw, revealed that not only were relevant domain services not shut down, but the Active Directory database storing user credentials was not encrypted.

Virtual Host Takeover (Compromised Creds, DC or VM Escape)

Virtualization technology enables more efficient utilization of physical server resources by enabling multiple virtual servers (application servers, file servers, web servers, etc.) to run on a single physical server (the host). The virtual servers (referred to as virtual machines or VMs) are, by design, self-contained environments running off of host resources, but otherwise isolated from the host OS and other VMs running on the host.

A VM escape attack utilizes an exploit, such as a misconfiguration or vulnerabilities in the guest tools or hypervisor code, to compromise the typical behavior of the virtual environment by enabling a VM’s operating system to interact directly with the hypervisor. In a successful attack, the VM “escapes” isolation to take control over the host OS and all other VMs running on the host, including any backup software.

The underlying infrastructure is at risk due to lateral movement and an expanding attack surface. To further disrupt operations, nefarious actors may exfiltrate data, deploy malicious code or execute denial-of-service attacks.

Windows-based software attacks

Windows holds well over 70% of the operating system market share, so it’s no surprise that attackers have Windows-based software firmly in their targets. Attacks against Windows environments focus on exploiting misconfigurations and vulnerabilities inherent in various versions and releases of the operating system. In some cases, known attack techniques (such as the automated exfiltration of data) are not easily mitigated by preventative controls as they’re achieved by abusing native features.

The Windows threat surface is broad but also fragmented due to the vast number of versions and releases. However, there are commonalities that present risk. Since they are often configured to run by default, malicious actors commonly exploit these services within the Windows ecosystem for an access vector:

  • Microsoft IIS (Internet Information Services): Attackers will leverage vulnerabilities within IIS to gain unauthorized access to web server software.
  • WebDAV (Web Distributed Authoring and Versioning): An HTTP extension that enables clients to manipulate files on a web server.
  • SMB/CIFS (Server Message Block Protocol): A file-sharing protocol used to authenticate and interact with a Windows system.
  • RDP (Remote Desktop Protocol): It provides remote access to authenticate and interact with a Windows system.
  • WinRM (Windows Remote Management Protocol): It facilitates remote access to Windows systems.

High-scoring CVEs

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. Managed and maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC), CVE is sponsored by the U.S. federal government, with both the Department of Homeland Security (DHS) and Cybersecurity Infrastructure Agency (CISA) contributing to it.

Since the program began in 1999, more than 130,000 CVE identifiers have been issued. In recent years, 10,000-15,000 new CVEs are reported each year. Large software vendors represent a significant portion of reported CVEs. Microsoft and Oracle, for example, have more than 6,000 CVEs reported across their various software product lines. The Common Vulnerability Scoring System (CVSS) assigns severity scores (from 0-10, with 10 being the most severe) to vulnerabilities to help users prioritize resources and responses according to the threat level.

It’s crucial to monitor CVEs to stay informed of potential vulnerabilities across your software stack and to stay on top of vendor advisories. For example, CVE-2023-27532 is a known exploit leveraged by ransomware gangs that enables an unauthenticated user operating within the backup infrastructure to extract encrypted credentials from the configuration database to gain access to the backup infrastructure hosts.

Other notable CVEs recently reported against backup software include risks of account takeover via New Technology LAN Manager (NTLM) relay, allowing unauthorized users to log in as any user for an enterprise manager web interface, and making it possible to perform Remote Code Execution (RCE) on a service provider console server machine.

Data resilience with Datto

Ensuring cyber resilience for your customers goes beyond simply the backup solution. The security and immutability of the backup environment are critical, but the strategy and implementation are equally as important.

Properly backing up data, securing backups and testing recovery is key to ensuring business continuity for your clients in case of an attack. Datto offers hardened, turnkey, Linux-based backup appliances that isolate backups from any virtual infrastructure and store them outside of the Windows attack surface. Ransomware detection alerts technicians to early signs of infection, and the immutable Datto Cloud provides off-site images of backups protected through multiple security layers.

Defense against ransomware and advanced cyberthreats requires a multifaceted, continuous effort that extends beyond backup and recovery. User awareness training, security controls and a well-tested BCDR strategy all play a part in keeping your clients safe.

Relying solely on software-based backup puts your clients at risk. If you want to learn more about how Datto’s solutions and immutable cloud can help shore up defenses, get in touch today!   

Suggested Next Reads