Kevin Beaumont

PSA: If you use #Veeam Backup & Replication (very common), upgrade. Especially if you face server to internet.

Screenshot from Code White, the API lets you remotely request Windows admin credentials for some reason, no auth request.

In their advisory Veeam claimed these are encrypted... it's base64 (lololol)

#CVE202327532 https://www.veeam.com/kb4424

KB4424: CVE-2023-27532

Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.

Veeam Software
Mar 10, 2023 at 4:47pmWeb
Show threadKevin BeaumontApr 29, 2023
#CVE202327532 is being exploited in the wild now by ransomware groups. https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-veeam-backup-servers-exposed-online/
Hackers target vulnerable Veeam backup servers exposed online

Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.

BleepingComputer
Show threadRairiiMar 10, 2023
@GossiTheDog base64: not even memecrypto
Show threadEn3pY - Sebastian ZdrojewskiMar 10, 2023
@GossiTheDog why for god's sake would you have your backup infrastructure exposed on the internet!?
Show threadUsernameMar 10, 2023
@en3py @GossiTheDog I am asking myself the same question with vcenter server facing to the internet site. I think it has something todo with remote management for the admin or/and IT service provider.
Show threadEn3pY - Sebastian ZdrojewskiMar 10, 2023
@Scheune @GossiTheDog yeah as well as "I am too lazy to figure out the risks... Oh anyway it's in the cloud, so it's secure, right?"
Nope. It's not.
Show threadMike (no not that one)Mar 10, 2023
@GossiTheDog Oh FFS can we get a rule that they can't say "encrypted" data if there was no key involved?
Show threadCJMar 10, 2023
@GossiTheDog A further PSA: do not expose your backup infra directly to the Internet!
Show threadDak (D. A. Keldsen)Mar 10, 2023
@GossiTheDog base64 all your admins belong to us. OMFreakingGosh.
Show threaddatenschrottMar 10, 2023
@GossiTheDog Well, to quote @mwulftange: "passwords are stored encrypted using DataProtectionScope.LocalMachine. But they get decrypted during serialization of the CCredentials object before transit. So, yes, the client receives the passwords in plaintext"
Show threadBrian ClarkMar 11, 2023
@GossiTheDog I don’t understand why anyone would expose their backup system to the Internet.
Show threadEINGFOAN  Mar 11, 2023

@deepthoughts10 @GossiTheDog I think #attackSurface reduction is not well understood by many non #security folks as well as security folks.

You don’t have to fix so often what is not exposed
Try to be lazy and don’t expose it right from the start

Show threadMarkus WulftangeMar 11, 2023
@GossiTheDog I used Base64 encoded output just to make sure special characters such as the umlaut in Süp3rS3cr3tP4$$w0rd! don't get mangled or lost when printing to console.
Show threadSimon ZerafaMar 11, 2023

@GossiTheDog

Someone else who doesn't know the difference between encryption and encoding 🫤🤦‍♂️

Show threadArwel OwenMar 11, 2023
@GossiTheDog Have you told James? 🤔