Corporate Backup Solutions Self-Defense - Bitpipe
1y ago
20 Views
1 Downloads
1.01 MB
6 Pages
Report/dmca
Download PDF

Transcription

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 2018CorporateBackupSolutionsSelf-DefenseTest/ MARCH 2018 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM1

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 201801IntroductionIn the light of the growing number of ransomware attacks in which cryptolockers terminate database processesto unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local andnetwork backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the topbackup solutions used in business environments available for trial.The test aims at testing sustainability of product’s processes and services against typical attacks to security softwaredescribed below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backupfiles and configuration files that belong a backup program thereby disabling recovery of the files. Moreover, onceaccess to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, butalso in the cloud on behalf of a backup solution.This document is a summary of the corporate backup solutions test report and includes the description of the testenvironment, list of tested solutions and their versions, overview of the test scenarios, as well as the results andconclusions based on these results. We do not rank the tested solutions and do not give any awards but provide theresults “as is” for information purposes only.02Test environmentThe tests were conducted on thevirtual machines of: Windows 8.1 SP1 32-bit build 9600 Windows 10 64-bit Enterprise Build 16299 Windows Server 2012 R2 Standard64-bit v. 6.3.9600 Build 960003Tested productsProduct nameWe tested backup solutions on 32-bit and 64-bitplatforms because the process injection techniques usedin the test scenarios differ on these platforms. Moreover,32-bit and 64-bit product builds may contain a differentset of features including self-defense ones and theirimplementation may depend on the OS architecture.The latest versions of the following products available at the timeof testing were tested:ComponentsVersionManagement Server12.5 9010Agent12.5 9010Unified Data Protection Server6.5.4175 Update 2 Build 667Unified Data Protection Client6.5.4175.791 v.r6.5Backup & Replication9.5 Update 3Agent Windows2.1.0.423Server16.0 Rev. 1142Agent Utility for Windows16.0 ver. 1142.1632Acronis BackupArcserveVeeamVeritas Backup ExecEvery product was installed with the default settings and updated before testing. 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM1

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 201804Test scenariosThe test suite consists of 31 tests simulating attacks to local backup files, product’s files, processes, services, anda cloud storage that aim at disruption of backup and recovery service. The ‘Protection of the product’s files’ testcategory contains simple tests aimed at destroying backup and application files making recovery of the encrypted byransomware data impossible.The second group of tests ‘Protection of the product’s processes and services’ is crucial for self-defense becausemalware can inject its malicious code into a backup agent and act on behalf of a backup solution gaining all necessaryprivileges to control backup files. At the wish of an attacker, a malicious process can terminate processes andservices that may lead to crashing the backup and recovery application or deletion of backup files on behalf of abackup solution. The last test set is ‘Protection of cloud backup and recovery’ and targets communication interfaceswith cloud storage. The DNS poisoning attack or improper use of CLI may result in disruption of cloud backup service. Test CategoryTest ScenarioProtection of the product's files123Protection of local backup filesRename, delete, or encrypt local backup filesDelete program filesProtection of the backupproduct's own filesMBR modification and MFT encryption (NotPetya and Petyaransomware)Protection of the product’s processes and services4End task in Task Manager5Stop services and terminate processes using PowerShell6Using TerminateProcess()7Using TerminateThread()8Using TerminateJobObject()9Terminating processes and servicesUsing DebugActiveProcess()10Using WinStationTerminateProcess()11Send WM CLOSE event12Send WM QUIT event13Send WM SYSCOMMAND (SC CLOSE) event14Send all possible windows events15Using CreateRemoteThread()16 Code injectionUsing NtCreateThreadEx()17Using QueueUserAPC() 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM2

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 2018 Test CategoryTest ScenarioProtection of the product’s processes and services181920Using SetWindowsHookEx()Using RtlCreateUserThread()Code injectionUsing SetThreadContext()21Reflective DLL injection22Blocking access to the process memory pages setting thePAGE NOACCESS attribute23Trying to free process memory using NtFreeVirtualMemory()24Unmap all mapped objects using NtUnmapViewOfSection()Modification of process memory25Allocate all available memory using NtAllocateVirtualMemory()26Allocate all available memory using NtMapViewOfSection()27Write in process memory using NtWriteVirtualMemory()2829Duplicate process objects to consume all available resourcesModification of process objectsDuplicate process objects with closing source objectsProtection of cloud backup and recovery0530 Modification of cloud backup dataUse product's CLI to delete, modify, or encrypt data in the cloud31 DNS poisoningModify hosts fileResultsProduct namePlatform 32bit / 64-bitThe number ofpassed testsThe number offailed testsNot applicable(N/A)Pass 4427013%32522419%64427013%Acronis BackupArcserveVeeamVeritas Backup Exec 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM3

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 2018The number of passed tests - the product withstandedthe attack preserving workability of the recovery service.Pass rate is calculated as The number of passed tests /(Total number of tests - N/A).The number of failed tests - the product crashed after theattack losing workability of the recovery service.Note: The results only show the total number of failed testswithout specifying which particular tests were failed. Thisis done intentionally to prevent the criminals from gettinginformation about the weaknesses of the tested products.Not applicable - the test uses a Windows API functionthat is not supported by the current version of Windowsor the tested feature is not available in the product. Forinstance, a solution has no CLI tool to manage backups orcloud storage is not available among locations where tostore backups.PassedFailed (FN)Not applicable nclusionThe aim of the test was to verify the self-defense capabilities of the backup software to protect their files, processes,service, and cloud storage against scenarios that can be potentially executed by ransomware.The results have shown that the majority of the tested products are not ready in most cases to counteract theransomware-like attacks allowing a potential attacker to lock user’s backups and disable backup and recoveryservices. Only Acronis Backup showed good results with 87% and 81% pass rate for 32-bit and 64-bit productscorrespondingly providing comprehensive self-defense capabilities as well as service sustainability. 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM4

CORPORATE BACKUP SOLUTIONS SELF-DEFENSE TEST - MARCH 201807Copyright and DisclaimerAny use of the results provided in this report is only permitted after the explicit written agreement with NioGuardSecurity Lab prior to any publication.We are not responsible for any damage or loss that might occur in connection with the use of the information providedin this paper including the test script. We do not guarantee the accuracy and completeness of the content provided inthis report.For more information regarding NioGuard Security Lab and the testing methodology, please visit our websitewww.nioguard.com or contact us via email: ada@nioguard.com. 2018 NIOGUARD SECURITY LABWWW.NIOGUARD.COM5

Veritas Backup Exec Server 16.0 Rev. 1142 Agent Utility for Windows 16.0 ver. 1142.1632 The tests were conducted on the virtual machines of: . MBR modification and MFT encryption (NotPetya and Petya ransomware) Protection of the product's processes and services 4 Terminating processes and services

Related Books

Choosing an online backup tool? - IT Best of Breed

Choosing an online backup tool? - IT Best of Breed

Welcome to Backup Now 5 - NTI Corporation

Welcome to Backup Now 5 - NTI Corporation

Altaro VM Backup 7.6 vs. Veeam Backup and Replication 9

Altaro VM Backup 7.6 vs. Veeam Backup and Replication 9

Open-E Backup of data residing on DSS V6 with Backup Exec - EN

Open-E Backup of data residing on DSS V6 with Backup Exec - EN

VM Backup: Veeam vs. Legacy Backup Tools Top 10 Reasons . - Emerald Group

VM Backup: Veeam vs. Legacy Backup Tools Top 10 Reasons . - Emerald Group

Symantec White Paper - Symantec Backup Exec 2012 Small Business Edition

Symantec White Paper - Symantec Backup Exec 2012 Small Business Edition

A PEEK INTO WHAT REAL USERS THINK IT Central Station

A PEEK INTO WHAT REAL USERS THINK IT Central Station

PowerVault DL Backup to Disk Appliance Powered by

PowerVault DL Backup to Disk Appliance Powered by

Symantec Backup Exec - Setting Up the Dell DR Series .

Symantec Backup Exec - Setting Up the Dell DR Series .

Virtual Tape Library VTL Symantec Backup Exec

Virtual Tape Library VTL Symantec Backup Exec

Deploying Symantec Backup Exec 2010 Off host Function

Deploying Symantec Backup Exec 2010 Off host Function

250-318 Exam Dumps with Real Exam Questions

250-318 Exam Dumps with Real Exam Questions

PopularTags

Recent Views