What do you mean, MORE CVEs?

In my blog from just a few weeks ago (and yes, I’m using the same image!) I covered a recent cyber security threat whereby ransomware gangs were targeting Veeam backup instances using older known (and fixed) Veeam exploits to compromise the backups and attack customers.  While these weren’t new vulnerabilities, and they had patches/fixes available for customers to deploy, the ransomware gangs understood that not every Veeam customer would have actually applied those fixes to their environment.  Patching and rebooting your backup environment isn’t something you can just do whenever you want, and some customers might not have even been aware that these exploits existed, let alone how to get them fixed…and that was just ONE Veeam security flaw (known as Common Vulnerabilities and Exposures or CVEs for short) that was being exploited. 

Fast forward to September 2024 where Veeam quietly disclosed in a knowledge base article that they’d uncovered not just 1 new CVE in their software, but 18 new vulnerabilities - several of which were rated as “critical”! Furthermore, these flaws don’t affect some hardly used niche pieces of the Veeam portfolio, but their core/flagship software that every Veeam customer and Service Provider (MSP) now needs to patch.

Unfortunately, in the time it took to publish this blog, Hacker News shared that Sophos was tracking active campaigns exploiting [Veeam] CVE-2024-40711. A series of attacks had leveraged compromised VPN credentials and this CVE to create a local account and deploy ransomware. In these incidents, attackers deployed Fog and Akira ransomware. It’s worth noting that Sophos Endpoint / EDR tools detected the Fog incidents and halted the attack. 

While Veeam certainly has had a lot more critical CVEs disclosed in the past 12 months, this problem isn’t just theirs - it applies to any and every legacy “build-it-yourself” backup solution where you, the customer, are responsible for deploying, scaling, maintaining, securing, and fixing the backup environment. These cases underline the importance of patching known vulnerabilities for critical applications like backup, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. 

But it doesn’t have to be that way…

Time to Shift to SaaS Backup - Druva’s got you covered

With a SaaS or cloud-based backup solution, like the Druva Security Cloud, these constant security headaches simply just disappear.  Since there are no backup servers, consoles, databases, or storage to manage (hint: it’s all our cloud) there’s nothing to update, patch, fix, or reboot.  Druva takes care of keeping our platform, and all of our customers, in a constant hardened state of security.  The solution is always up-to-date, and any fixes that do need to be done are done by Druva transparently and non-disruptively behind the scenes - you don’t have to lift a finger.

This eliminates the risk that your specific backup environment might be left vulnerable or exposed due to a missed patch or update - Druva does all that for you.  So, while Veeam customers are stuck having to apply multiple security patches, hotfixes, and updates every few months, Druva customers are sitting stress-free knowing that their backups are up to date and secure. That’s our commitment to you: Data security on autopilot.

Currently, comparing legacy “do it yourself” backup solutions to fully managed SaaS data security solutions like Druva? Read the solution brief to see how Druva stacks up vs. the competition and ensure you have considered everything.