{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mssql/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["veeam","credential-access","mssql","windows","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam"],"content_html":"\u003cp\u003eAttackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like \u003ccode\u003esqlcmd.exe\u003c/code\u003e or PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esqlcmd.exe\u003c/code\u003e or uses PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to query the \u003ccode\u003e[VeeamBackup].[dbo].[Credentials]\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the encrypted Veeam credentials from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line activity, specifically \u003ccode\u003esqlcmd.exe\u003c/code\u003e and PowerShell.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Veeam Credential Access Command\u0026rdquo; to detect suspicious command executions targeting Veeam credentials in MSSQL databases.\u003c/li\u003e\n\u003cli\u003eReview and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all accounts with access to Veeam infrastructure.\u003c/li\u003e\n\u003cli\u003eRegularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-veeam-credential-access/","summary":"Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.","title":"Potential Veeam Credential Access via SQL Commands","url":"https://feed.craftedsignal.io/briefs/2024-07-veeam-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Mssql","version":"https://jsonfeed.org/version/1.1"}