Ransomware groups and other threat actors have long targeted backup environments to remove the safety nets that protect organizations from having to pay ransom. Attackers often increase their leverage if they can encrypt or destroy backups.
That said, what’s changed is how these backups are housed and managed, and how cybercriminals can reach them. Backups are no longer isolated infrastructures. Instead, they’re administered via the same identity systems as the rest of the IT environment.
“[This] means if an attacker compromises a privileged identity, access to the backup console often follows,”
Keeper Security CISO
Shane Barney told MSSP Alert. “Instead of exploiting software vulnerabilities, many [threat groups] have shifted to using stolen credentials obtained through phishing scams, token theft, or social engineering.”
Barney added that “the issue is not that backups are suddenly vulnerable. It’s that they now sit behind identity controls, and identity compromise is increasingly common. That shifts backups from being purely a recovery mechanism to another system that must be governed carefully.”
Expanding Anomaly Detection
N-able, pointing to what executives describe as a “surge in identity-driven cyberattacks targeting backup environments,” this week expanded the Anomaly Detection capabilities in its Cove Data Protection solution to include protections against the trend. With the new Critical Configuration Changes feature in Anomaly Detection, enterprises, MSSPs, and MSPs are alerted through event-based notifications to signals of possible cyberattacks or misconfigurations before they can escalate.
This lets defenders react in a just-in-time manner to maintain data resilience, according to the vendor, whose Cove Data Protection offers a cloud-first and appliance-free backup and recovery solution to organizations and security services providers. It protects servers, workstations, and Microsoft 365 data and defends against ransomware by using AES 256-bit encryption and immutable storage.
The latest feature for protecting backups comes after N-able unveiled Honeypots, part of Anomaly Detection, aimed at detecting brute-force attacks on backup infrastructure. The focus on identity-based backup threats is important, according to
Stefan Voss, vice president for product for
N-able’s Cove Data Protection.
The Threat to Backups
“Accidental and malicious changes to backup policies are real cybersecurity concerns for those who manage backup environments,” Voss
wrote in a blog post. “Whether it be a misconfiguration by a user or an attacker that has gained access to the backup environment, silent changes to backup policies can erode data availability. This can include changed retention schedules, modified backup policies, or deleted devices.”
Identity over the past few years has steadily become a preferred method of cybercriminals for gaining access to the IT environments of their targets, overtaking exploiting software vulnerabilities. The argument has become that bad actors no longer have to break in; instead, they sign in.
“Today’s most advanced attackers have moved past trying to punch a hole in your network,”
Dan Lu, who leads product marketing for security firm Rubrik,
wrote late last year. “They now employ a more devastating strategy: identity compromise. They are stealing valid credentials to operate with the full privileges of your own administrators. Now these threat actors can achieve their ultimate objective: total cloud destruction.”
Attackers and Identity
This delivers significant advantages to attackers, Keeper Security’s Barney said.
“When access is achieved through valid identities, the activity blends in,” he said. “From the platform’s perspective, the threat actor appears to be an administrator making configuration changes. That’s the real shift. Identity has become the access layer for cloud, SaaS applications. and backup systems alike. Backups are not a new target. Credential-driven access is simply a more efficient path to reach them.”
It also buys the threat actor time. They don’t have to encrypt data immediately because, having gain accessed through a valid identity, their activity more easily blends in with legitimate work.
“They can modify retention policies, disable immutability, remove systems from protection, or adjust scope in ways that appear administrative rather than malicious,” he said. “Those changes may not raise alarms because they are executed through valid credentials.”
Hobbling Resilience
In his blog post, N-able’s Voss detailed some of the problems that such identity-based intrusions into backup systems can cause.
“Instead of deleting everything, (attackers) tweak backup configurations without being noticed,” he wrote. “Maybe they change data retention from one year to seven days, exclude critical files (like financial data) from backups, or delete servers or workstations (like a CEO’s) from protection. Over time, these configuration changes can erode the restorability of your available backup copies.”
MSSPs in a Unique Position
MSSPs and MSPs need to be as cognizant of the threat as corporate security teams, Barney said. They often manage both security tools and backup and backup environments for clients, putting them in a unique position.
“Backup consoles must be treated as privileged systems, not secondary infrastructure,” he said. “That means enforcing strong authentication, limiting standing administrative access, and monitoring configuration changes with the same rigor applied to production systems.”
They also need to pay attention to service accounts and automation tokens, which can have identities with broad permissions and often aren’t as visible as human users. In addition, backup resilience and identity governance are also now closely linked.
“If identity controls are disciplined, backup environments are far more difficult to quietly manipulate," the Keeper Security CISO said.
