Truth, Lies and BCDR: Are Your Software-based Backups Vulnerable?

Your data is one of your most valuable assets, and it’s constantly under attack. The ever-growing frequency, sophistication and damage wrought by modern cyberattacks, such as ransomware, underscore the vital importance of resilient business continuity and disaster recovery (BCDR) solutions.

Proven, secure BCDR is essential in today’s always-on, digital world to respond swiftly to and mitigate the damage from a cyberattack. While backups are your last line of defense, they’re often the first target of criminal actors. Your data may be at risk if you rely on a software-based backup solution.

Ransomware and other criminal actors leverage four primary attack vectors to target backup software:

  1. Active Directory attack
  2. Virtual Host Takeover
  3. Windows-based software attacks
  4. High-scoring Common Vulnerabilities and Exposures (CVEs)

Active Directory attack

For most organizations, Active Directory is mission critical. It provides identity and access management for users to log in to your IT systems and serves as a gateway to the rest of your network. As such, attacks on Active Directory make for an excellent extortion technique.

Many organizations integrate their backup software with Active Directory to streamline user and system management. This leverages existing user accounts, group memberships and organizational structures, and automates user authentication and access control. Backup admins can use Active Directory permissions to control who has access to the software and infrastructure.

In the event of an attack, Active Directory becomes a single point of failure for both production and backup. Ransomware doesn’t encrypt the Active Directory itself; instead, it accesses and encrypts connected hosts and domain-joined systems, including your backup software. Alternatively, creating or escalating stolen credentials provides malicious actors direct access to the backup software. Testing of notorious ransomware variants, such as WannaCry, TeslaCrypt and Jigsaw, revealed that not only were relevant domain services not shut down, but the Active Directory database storing user credentials was not encrypted.

Virtual Host Takeover (Compromised Creds, DC or VM Escape)

Virtual hosts run multiple virtual servers (application servers, file servers, web servers, etc.) on a single physical server, enabling more efficient resource utilization. By design, the virtual machines (VMs) are self-contained environments on the host, isolated from the host OS and other VMs running on the host.

A VM escape attack utilizes an exploit (misconfiguration, vulnerabilities in the guest tools or hypervisor code) to compromise the typical behavior of the virtual environment. This enables VMs to interact directly with the hypervisor. Successful attacks “escape” the isolation of the VM to control the host OS and all other VMs running on it.

The underlying infrastructure is at risk through lateral movement and expanding the attack surface. Attackers may exfiltrate data, deploy malicious code or execute denial-of-service attacks to disrupt operations.

Windows-based software attacks

With well over 70% market share, it’s no surprise attackers have Windows-based software firmly in their crosshairs. These attacks exploit misconfigurations and vulnerabilities inherent in a specific operating system, such as Windows. Preventative controls cannot easily mitigate some attack techniques (such as the automated exfiltration of data) since they are achieved by abusing native features.  

While the Windows threat surface is fragmented due to a variety of versions and releases, some commonalities present risks. Since they are often configured to run by default, criminal actors commonly exploit these services within the Windows ecosystem for an access vector:

  • Microsoft IIS (Internet Information Services): Attackers will leverage vulnerabilities within IIS to gain unauthorized access to web server software.
  • WebDAV (Web Distributed Authoring and Versioning): An HTTP extension that enables clients to manipulate files on a web server.
  • SMB/CIFS (Server Message Block Protocol): A file-sharing protocol used to authenticate and interact with a Windows system.
  • RDP (Remote Desktop Protocol): It provides remote access to authenticate and interact with a Windows system.
  • WinRM (Windows Remote Management Protocol): It facilitates remote access to Windows systems.

High-scoring CVEs

Common Vulnerabilities and Exposures is a publicly disclosed information security issue database. It is managed and maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC), which is sponsored by the U.S. federal government. The Department of Homeland Security (DHS) and Cybersecurity Infrastructure Agency (CISA) contribute to it.

There are thousands of new CVEs every year. Since the program began in 1999, more than 130,000 CVE identifiers have been issued. Large software vendors represent a significant portion of reported CVEs. Microsoft and Oracle, for example, have more than 6,000 CVEs reported across their various product lines. The Common Vulnerability Scoring System (CVSS) assigns severity scores (from 0 to 10, with 10 being the most severe) to vulnerabilities to help users prioritize resources and responses according to the threat level.

Monitoring CVEs to understand potential vulnerabilities across your software stack and to stay on top of vendor advisories is crucial. For example, CVE-2023-27532 is a known exploit leveraged by ransomware gangs that enables an unauthenticated user operating within the backup infrastructure to extract encrypted credentials from the configuration database to gain access to the backup infrastructure hosts.

Other notable CVEs recently reported against backup software include risks of account takeover via New Technology LAN Manager (NTLM) relay, allowing unauthorized users to log in as any user for an enterprise manager web interface, and making it possible to perform Remote Code Execution (RCE) on a service provider console server machine.

Backup and recovery resilience with Unitrends

Cyber resilience extends beyond simply the backup solution. The security and immutability of the backup environment are critical, but the strategy and implementation are equally as important.

Unitrends offers hardened, turnkey, Linux-based backup appliances that isolate backups from the virtual infrastructure and store them outside of the Windows attack surface. Predictive Analytics flag anomalies (such as ransomware activity) within the backup data and Recovery Assurance testing validates backups for integrity and recoverability. Customers have also used the Recovery Assurance job to automate the creation of isolated environments to further validate backups as clean from ransomware with third-party security solutions, often a requirement of cyber liability insurance.

To safeguard a copy of your backups off-site, Unitrends offers support for a variety of replication targets, including our own Forever Cloud. Unitrends Forever Cloud is a proprietary cloud service providing secure, cost-effective data retention and Disaster Recovery-as-a-Service (DRaaS). Data is stored immutably in the Unitrends cloud — a local appliance can read copies and download files, objects and backup groups, but it cannot change, modify or delete backups written to the cloud.

Defense against ransomware requires a multifaceted, continuous effort that extends beyond backup and recovery. User awareness training, security controls and a well-tested BCDR strategy all contribute to keeping your organization safe from advanced threats.

Relying solely on software-based backup leaves your data at risk. If you want to learn more about how Unitrends backup and disaster recovery solutions and the immutable cloud can help shore up your defenses, get in touch today!


Discover how Unitrends can help protect your organization's sensitive data