Why the Latest Backup Server Vulnerability Signals a Dangerous Ransomware Risk

W. Curtis Preston, Chief Technology Evangelist

If you spend any time tracking ransomware alerts, one thing soon becomes clear. Remote server access to your backup environment is a growing risk, and businesses would do well to examine their backup server vulnerability. 

Case in point, the alert issued last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding another vulnerability to its Known Exploited Vulnerabilities Catalog. As reported in Hacker News, a remote code execution vulnerability in Veeam’s backup and replication service is being exploited in attacks. CISA states that the vulnerability makes it possible for unauthenticated users to access internal API functions, “which may lead to uploading and executing of malicious code.”

As long as your data protection and ransomware recovery strategy depends on traditional hardware/software-based approaches, you’re going to have to worry about remote server access (the #2 most popular attack vector). 

Why Hackers Love to Target Backups

Backups are your last line of defense against ransomware. Unfortunately, they can be a weak line that doesn’t hold up against attack.

I wrote about this problem recently in a Network World article on the dangers of compromised backup servers: “Hackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security.” (See “Ransomware: It’s coming for your backup servers.”)

A particular danger is exfiltration. Basically, if bad actors can exfiltrate and decrypt your company’s secrets via the backup server, you’re defenseless against their extortion demands. 

Operational Security Best Practices for Backup Vulnerability Management

To protect their backup data, organizations should consider best practices that have shown proven success in ransomware attacks. For example, here are some of the security best practices we have built into the Druva Data Resiliency Cloud:

  • Leverage cloud-based infrastructure to make use of public cloud security standards. Druva is built on Amazon S3 to leverage Amazon Web Services industry-leading security. In addition, as a SaaS vendor, Druva further expands on inherent infrastructure security with capabilities that go beyond native data protection, such as immutability, air gapping, and more.
  • Implement backup platform observability and alerting – Druva uses observability tools to improve platform security and stop events in progress such as bulk deletions or configuration changes, or encryption from ransomware – and to accelerate response and forensics efforts with relevant log and data change records.  See if such tools and capabilities are available for your backup platform. 
  • Encrypt backup data wherever it is stored. For instance, Druva uses TLS encryption for data in flight and AES 256-bit encryption for data at rest.
  • Take a multi-layered security approach that includes deduplication. You want to separate the storage of data and metadata and use block-level deduplication. Doing so disguises the structure of your data so bad actors cannot reconstitute it. 
  • Use role-based access controls, taking a least-privilege approach so that each person has the access they need to perform their job, but no more.  

Learn More about Ending Backup Server Vulnerability

The Druva Data Resiliency Cloud removes the risk of hackers exploiting backup server vulnerabilities. You can learn more about Druva’s end-to-end approach to data security in the Druva Security Overview white paper.