Welcome! » Log In » Create A New Profile

Ransomware deleted TSM backups from node

Posted by Anonymous 
Ransomware deleted TSM backups from node
January 30, 2015 05:42PM
I'm not sure there's anything that can be done about this, but take it
as a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring
their files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed,
found it was TSM, and issued actual dsmc delete backup commands, which
they were allowed to do since PASSWORDACCESS GENERATE was in effect. So
this attack vector is not limited to TSM; it would work with any backup
program that the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago rogerd < at > uic.edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================
Ransomware deleted TSM backups from node
January 31, 2015 02:56AM
[quote]Op 31 jan. 2015, om 02:40 heeft Roger Deschner <rogerd < at > UIC.EDU> het volgende geschreven:

I'm not sure there's anything that can be done about this, but take it
as a warning anyway.
[/quote]
——8<— —

[quote]I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?
[/quote]
— —8<— —

I’m quite sure that this is the reason (among others) why backdel=n is the default. This is also the very first time that I hear that the bad guys are TSM aware...

--

Met vriendelijke groeten/Kind Regards,

Remco Post
r.post < at > plcs.nl
+31 6 248 21 622
Ransomware deleted TSM backups from node
February 02, 2015 09:45AM
Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem.

Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto] On Behalf Of Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L < at > VM.MARIST.EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it as a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago rogerd < at > uic.edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================

**********************************************************************
Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person.
Ransomware deleted TSM backups from node
February 02, 2015 10:44AM
Same goes for Oracle and Notes backups. They manage their own backups so
no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK
can't schedule backups without it....

On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider < at > ussco.com>
wrote:

[quote]Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that run
TDP for SQL require backdelete authority. I don't know how to get around
this problem.

Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto] On Behalf Of
Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L < at > VM.MARIST.EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it as
a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring their
files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found
it was TSM, and issued actual dsmc delete backup commands, which they were
allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack
vector is not limited to TSM; it would work with any backup program that
the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago rogerd < at > uic.edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================

**********************************************************************
Information contained in this e-mail message and in any attachments
thereto is confidential. If you are not the intended recipient, please
destroy this message, delete any copies held on your systems, notify the
sender immediately, and refrain from using or disclosing all or any part of
its content to any other person.

[/quote]

--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray < at > vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
Ransomware deleted TSM backups from node
February 02, 2015 02:55PM
Can Schedule an admin schedule around the Oracle/Notes backup window to
enable/disable BACKDEL=YES/NO.

It is not an ideal situation, but decreases the risk. And if you configured
these nodes with specific nodenames (like you should) the malware could not
get to those clients.
Or they should scan the host for all available TSM OPT files and act from
these...

2015-02-02 19:44 GMT+01:00 Zoltan Forray <zforray < at > vcu.edu>:

[quote]Same goes for Oracle and Notes backups. They manage their own backups so
no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK
can't schedule backups without it....

On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider < at > ussco.com>
wrote:

[quote]Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that run
TDP for SQL require backdelete authority. I don't know how to get around
this problem.

Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto] On Behalf Of
Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L < at > VM.MARIST.EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it as
a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring their
files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found
it was TSM, and issued actual dsmc delete backup commands, which they
[/quote]were
[quote]allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack
vector is not limited to TSM; it would work with any backup program that
the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago rogerd < at > uic.edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================

**********************************************************************
Information contained in this e-mail message and in any attachments
thereto is confidential. If you are not the intended recipient, please
destroy this message, delete any copies held on your systems, notify the
sender immediately, and refrain from using or disclosing all or any part
[/quote]of
[quote]its content to any other person.

[/quote]

--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray < at > vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

[/quote]

--
Kind Regards, Groetje,

Marcel Anthonijsz
T: +31(0)299-776768
M:+31(0)6-53421341
Ransomware deleted TSM backups from node
February 02, 2015 03:40PM
[quote]Op 2 feb. 2015, om 18:44 heeft Schneider, Jim <jschneider < at > USSCO.COM> het volgende geschreven:

Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem.
[/quote]
Mitigated by running the file backup and ‘structured data’ backup as separate nodes so you can at least protect your unstructured data against such ransomware.

[quote]
Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto] On Behalf Of Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L < at > VM.MARIST.EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it as a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago rogerd < at > uic.edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================

**********************************************************************
Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person.
[/quote]
--

Met vriendelijke groeten/Kind Regards,

Remco Post
r.post < at > plcs.nl
+31 6 248 21 622
Ransomware deleted TSM backups from node
February 03, 2015 05:19AM
A good idea but for us, most of our backups/archives on Oracle systems are
done manually/system managed, not TSM server scheduled. Plus you have no
realistic idea of how long the backup could run. We have Notes backups
that run 10-days!

On Mon, Feb 2, 2015 at 5:54 PM, Marcel Anthonijsz <marcel < at > anthonijsz.net>
wrote:

[quote]Can Schedule an admin schedule around the Oracle/Notes backup window to
enable/disable BACKDEL=YES/NO.

It is not an ideal situation, but decreases the risk. And if you configured
these nodes with specific nodenames (like you should) the malware could not
get to those clients.
Or they should scan the host for all available TSM OPT files and act from
these...

2015-02-02 19:44 GMT+01:00 Zoltan Forray <zforray < at > vcu.edu>:

[quote]Same goes for Oracle and Notes backups. They manage their own backups so
no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK
can't schedule backups without it....

On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider < at > ussco.com>
wrote:

[quote]Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that
[/quote][/quote]run
[quote][quote]TDP for SQL require backdelete authority. I don't know how to get
[/quote][/quote]around
[quote][quote]this problem.

Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto] On Behalf
[/quote][/quote]Of
[quote][quote]Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L < at > VM.MARIST.EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it
[/quote][/quote]as
[quote][quote]a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0
[/quote][/quote]ransomware.
[quote][quote]They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring
[/quote][/quote]their
[quote][quote]files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed,
[/quote][/quote]found
[quote][quote]it was TSM, and issued actual dsmc delete backup commands, which they
[/quote]were
[quote]allowed to do since PASSWORDACCESS GENERATE was in effect. So this
[/quote][/quote]attack
[quote][quote]vector is not limited to TSM; it would work with any backup program
[/quote][/quote]that
[quote][quote]the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy
[/quote][/quote]Group,
[quote][quote]while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO
[/quote][/quote]to
[quote][quote]prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner University of Illinois at Chicago
[/quote][/quote]rogerd < at > uic.edu
[quote][quote]=================== ALL YUOR BASE ARE BELONG TO US!!
[/quote][/quote]===================
[quote][quote]
**********************************************************************
Information contained in this e-mail message and in any attachments
thereto is confidential. If you are not the intended recipient, please
destroy this message, delete any copies held on your systems, notify
[/quote][/quote]the
[quote][quote]sender immediately, and refrain from using or disclosing all or any
[/quote][/quote]part
[quote]of
[quote]its content to any other person.

[/quote]

--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray < at > vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

[/quote]

--
Kind Regards, Groetje,

Marcel Anthonijsz
T: +31(0)299-776768
M:+31(0)6-53421341

[/quote]

--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray < at > vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
Sorry, only registered users may post in this forum.

Click here to login