Noberus ransomware gets info-stealing upgrades, targets Veeam backup software Crooks spreading the Noberus ransomware are adding weapons to their malware to steal data and credentials from compromised networks. An extensively updated version of the Exmatter data exfiltration tool was seen last month being used with Noberus in ransomware infections, and at least one affiliate using Noberus was detected …
At least from my point of view it is simple: To get access to that SQL you have to be able to connect it with the right credentials.
So the solution is, as I recommend it anyway, and as I try to push it when I see some not doing it my way: Veeam backup-server(s), with its SQL, may NOT be part of the normal AD domain/tree/trust, preferably completely standalone, with different credentials. Windows firewall configured to be tightened down on top. Else they are a way too easy target.
Did I read the article the right way? Or can that be exploited without auth as well? Or an auth-bypass?
From a disaster recovery standpoint. NEVER use AD on anything you will need to restore your network. I know of one location that had a VBlock with the AD server running in a VM. They could not login into the Vblock to bring up the AD server (did not set to auto start).
Never EVER use the same password on your backup you use on anything else.
Build a backup proxy, Pull the source and place the backup. Backup and Source can't talk. Don't trust MS, use vlans and ACL or firewall rules.
And....
I got so pissed at every program I install wants to phone home or become useless due to an unwanted update that you can't even tell if there is a virus outbound connection that I wrote a program that every time the screen saver comes on, it changes the gateway to an address not used. If there is a local thing I need my computer to do at that time, I add a static route. I keep a running log of when the system logged in and out so I can easily verify it use and list of current process that use an internet connection. After logging in and the gateway comes back online, it is like turning on the kitchen light and watching roaches scurry for their hiding places. They get added to the "route to null" list.
Oh, and by the way, Micro$oft application firewall does not block this stuff.
> Oh, and by the way, Micro$oft application firewall does not block this stuff.
Oh, that is a config thing. Starts with setting inbound AND outbound default to "block" and then whitelist. The default is to allow outgoing unless a blocking rule is set (which is a fine default for 99% of the things).
And with whitelisting outbound connections you can control who it is allowed to talk to.
For the home OS I used Binisoft WFC which give you much better control of the windows firewall. Since Win11 is on their list as supported now: Time to install again :D...
Yep. That is what I thought. So I blocked all outbound applications and turned on logging. No luck. Seems to be a thing now days. SONICWALL does the same thing. Try blocking it trying to phone home from the firewall, it does the “these are not the packets you are looking for”.
Android - tunnel all to a firewall and block all and you will still see traffic outside the vpn.
> Did I read the article the right way? Or can that be exploited without auth as well? Or an auth-bypass?
That is the problem, many methods are known to extract the saved local SQL auth keys as long as administrator access is available, so whatever chain is necessary to acquire admin access.
Once there, it's all dependent on whatever access the account has to SQL, and the Veeam roles of whatever it can access (easily extracted and decrypted from SQL tables) has to anything. If the SQL account isn't set up to deny access to the Credentials table, it can read all accounts and encrypted passwords. At that point you only have the SQL/Veeam roles assigned, and hopefully they've done the only possible reasonable thing and set up separate accounts for the administrative and client sides of each, or else it's trivial to get full access.
Otherwise, they also have to find a way to elevate on the Veeam server in order to extract or purge the backups of all systems.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
