I have a Windows Server 2022 with Veeam running on a Hyper-V machine that hadn't been touched for a year. Recently, it was attacked by ransomware and ended up being a key part of the issue. The server hadn't received any updates during that time and I don't quite understand how it was compromised since it's protected by a firewall. Is it possible that a user could have run an infected executable that scanned for vulnerabilities in Veeam? It's a huge loss, as we lost 50 VMs because of this, including backups from both Veeam and Altaro.
5 Answers
Honestly, I find it puzzling that people run Veeam in a VM like this. It's like saying that the first step of your disaster recovery is to just re-deploy Veeam and then rescanning your backups. That's not a solid backup plan at all!
Was your Veeam server part of a domain? That could be a crucial factor here since being on a domain might make it easier for an attacker to access it.
Yes, it was indeed on the domain.
Remember, Veeam does release security patches regularly. Who's responsible for applying those updates in your setup? Because neglecting them can lead to vulnerabilities being exploited.
We've seen a similar case before. The Veeam software itself wasn't to blame, but intruders often exploit servers to run scripts that dump SQL database credentials. If the service account used for Veeam was a domain admin, that’s a real problem because they can gain significant control over the environment. Investigations have shown that attackers specifically target Veeam servers.
Veeam has an article that discusses how attackers can extract credentials and some details about security steps:
https://www.veeam.com/kb4349
In summary, if someone has local admin rights on your backup controller, your security is pretty much compromised.
It’s possible the attack didn't originate with the Veeam server itself. Once an attacker gains access to it, they could do a lot – including spreading ransomware from there. Your assumption that Veeam was hacked first may not be accurate.
I see your point, but the re-deploy/rescan steps are still applicable regardless of whether Veeam is virtual or not.