Category: Cybersecurity

Jun 18, 2025The Hacker NewsDevSecOps / Security Architecture

For organizations eyeing the federal market, FedRAMP can feel like a gated fortress. With strict compliance requirements and a notoriously long runway, many companies assume the path to authorization is reserved for the well-resourced enterprise. But that’s changing.

In this post, we break down how fast-moving startups can realistically achieve FedRAMP Moderate authorization without derailing product velocity, drawing from real-world lessons, technical insights, and the bruises earned along the way from a cybersecurity startup that just went through the process.

Why It Matters

Winning in the federal space starts with trust—and that trust begins with FedRAMP. But pursuing authorization is not a simple compliance checkbox. It’s a company-wide shift that requires intentional strategy, deep security investment, and a willingness to move differently than most startups.

Let’s get into what that actually looks like.

Keys to a Successful FedRAMP Authorization

1. Align to NIST 800-53 from Day One

Startups that bolt on compliance late in the game usually end up rewriting their infrastructure to fit. The better path? Build directly against the NIST 800-53 Rev. 5 Moderate baseline as your internal security framework—even before FedRAMP is on the roadmap.

This early commitment reduces rework, accelerates ATO prep, and fosters a security-first mindset that scales. Additionally, compliance is often a must have for organizations to do business with mid to large enterprises so it’s more than a checkbox, it’s a business enabler. Here at Beyond Identity, when we say “secure-by-design” platform, a foundational component is alignment to strict compliance frameworks from the start.

2. Build an Integrated Security Team

FedRAMP isn’t just an InfoSec problem—it’s a team sport. Success requires tight integration across:

• Compliance-focused InfoSec leads who understand the nuances of FedRAMP controls
• Application security engineers who can embed guardrails without bottlenecking delivery
• DevSecOps teams to operationalize security across pipelines
• Platform engineers responsible for both cloud posture and deployment parity

Cross-functional collaboration isn’t a nice-to-have—it’s how you survive the inevitable curveballs.

3. Mirror Your Commercial and Federal Architectures

Attempting to run a separate product for the federal market? Don’t.

Winning startups keep a single software release chain, with identical configurations and infrastructure across both environments. That means:

• No federal-only forks
• No custom hardening outside the mainline
• One platform, one set of controls

This approach dramatically reduces technical drift, simplifies audits, and ensures your engineers aren’t context-switching between two worlds.

Scrutinize the Business Case

FedRAMP isn’t cheap. Initial investments often exceed $1 million, and timelines can stretch beyond 12 months. Before you start:

• Validate the market opportunity—can you actually win federal deals?
• Confirm executive sponsorship—FedRAMP requires top-down alignment
• Look for 10x return potential—not just for the cost, but for the time and energy involved

This isn’t a growth experiment. It’s a long play that demands conviction.

Pick the Right Partners

Navigating FedRAMP alone is a losing strategy. Choose external vendors carefully:

• Ask for customer references with successful FedRAMP delivery
• Watch for predatory pricing—especially from Third Party Assessment Organizations and automation tools
• Prioritize collaboration and transparency—your partner becomes an extension of your team

Cut corners here and you’ll pay for it later—in both delays and trust.

Build Internal Muscle

No external vendor can replace internal readiness. You’ll need:

• Security architecture skills with depth in cryptography, PKI, and TPMs
• Ops maturity to manage change control, evidence collection, and ticketing rigor
• Strong program management to coordinate vendors, auditors, and internal stakeholders
• Team training—FedRAMP has a steep learning curve. Invest early.

FedRAMP reshapes how you ship, with slower velocity, higher overhead, and the need for tight cross-functional alignment. While the impact is real, the long-term payoff is disciplined security and process maturity that goes well beyond compliance.

The Toughest Challenges

Every FedRAMP journey hits turbulence. Some of the hardest problems include:

• Interpreting FedRAMP Moderate controls without clear guidance
• Defining authorization boundaries across microservices and shared components
• Operationalizing DevSecOps gates that enforce security without stalling builds
• Choosing the right tools for SAST, DAST, SBOM, and SCA—and integrating them

Don’t underestimate these. They can become critical blockers without careful planning.

Achieving FedRAMP at startup speed is possible—but only with ruthless prioritization, integrated security culture, and a deep understanding of what you’re signing up for.

If you’re considering the journey: start small, move deliberately, and commit fully. The federal market rewards trust—but only for those who earn it.

Beyond Identity is a FedRAMP-moderate identity and access management platform that eliminates identity-based attacks. Learn more at beyondidentity.com.

Jun 18, 2025Ravie LakshmananLinux / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.

The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.

“Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,” the agency said.

“This uid mapping bug allows a local user to escalate their privileges on the system.”

It’s currently not known how the security flaw is being exploited in the wild. In a report published in May 2023, Datadog said the vulnerability is trivial to exploit and that it works by tricking the kernel into creating a SUID binary owned by root in a folder like “/tmp” and executing it.

“CVE-2023-0386 lies in the fact that when the kernel copied a file from the overlay file system to the ‘upper’ directory, it did not check if the user/group owning this file was mapped in the current user namespace,” the company said.

“This allows an unprivileged user to smuggle an SUID binary from a ‘lower’ directory to the ‘upper’ directory, by using OverlayFS as an intermediary.”

Later that year, cloud security firm Wiz detailed two security vulnerabilities dubbed GameOver(lay) (CVE-2023-32629 and CVE-2023-2640) affecting Unix systems that led to similar consequences as CVE-2023-0386.

“These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine,” Wiz researchers said.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by July 8, 2025, to secure their networks against active threats.

Jun 18, 2025Ravie LakshmananEspionage / National Security

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity.

Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of stealing and divulging classified information. He was an employee of the CIA since 2016 and had Top Secret security clearance to access Sensitive Compartmented Information (SCI) until he was terminated from his job after he was arrested last November in Cambodia.

Earlier this January, Rahman pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense.

As previously reported by The Hacker News, Rahman retained multiple Secret and Top Secret documents without authorization on October 17, 2024, took them to his place of residence in a backpack, and wilfully sent them to several individuals who did not have the necessary clearance to receive them.

“The defendant photographed the documents and transferred those images to a computer program that allowed him to edit the images to attempt to conceal their source and delete his activity,” according to court documents. “The defendant also took steps to conceal his identity while unlawfully sharing classified information with others.”

Some of these documents were related to Israel’s plans to attack Iran around that time. They eventually began circulating online after they were posted on Telegram by an account called Middle East Spectator.

To cover up these acts, Rahman engaged in what the U.S. Department of Justice (DoJ) described as a “deletion campaign of work product” on his computer, wiping roughly 1.5 GB of data from his email and personal folder on his system. He also deleted and edited certain journal entries to conceal his personal opinions on U.S. policy.

“Asif Rahman violated his position of trust by illegally accessing, removing, and transmitting Top Secret documents vital to the national security of the United States and its allies,” said Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia.

“The urgency with which Mr. Rahman was identified, arrested, charged, and prosecuted is a testament to the commitment and professionalism of the investigators and prosecutors who brought him to justice. This case should serve as a stern warning to those who choose to place their own goals over their allegiance to our nation.”

Jun 18, 2025Ravie LakshmananHacktivism / Cyber Warfare

Iran has throttled internet access in the country in a purported attempt to hamper Israel’s ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region.

Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to maintain internet stability and that the move is “temporary, targeted, and controlled, to ward off cyber attacks.” Data shared by NetBlocks shows a “significant reduction in internet traffic” around 5:30 p.m. local time.

The development comes amid deepening conflict, with Israel and Iran trading missile attacks since Friday. These attacks have spilled over into cyberspace, as security experts warned of retaliatory cyber operations by Iranian state actors and hacktivist groups.

The digital conflict unfolding behind the scenes goes two ways. Earlier this week, a pro-Israeli group known as Predatory Sparrow claimed responsibility for a cyber attack on Iran’s Bank Sepah, crippling access to its website and ATMs.

“‘Bank Sepah’ was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program, and its military nuclear program,” the group said in a public statement posted on X.

Predatory Sparrow also said it sabotaged the bank’s infrastructure with help from “brave Iranians,” adding “This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies.” Israel has a storied history of sophisticated cyber operations, most notably the Stuxnet attack targeting Iran’s nuclear program.

Tel Aviv-based cybersecurity firm Radware said it has observed heightened activity from threat actors affiliated with Iran across public and private Telegram channels.

Some of the groups, including Mysterious Team Bangladesh and Arabian Ghost, have warned neighboring countries Jordan and Saudi Arabia against supporting Israel and claimed to have shut down Israeli radio stations.

Furthermore, the Iranian government has also urged citizens to delete WhatsApp, one of the country’s most popular messaging platforms, stating without giving any evidence that the Meta-owned app has been weaponized by Israel to spy on its users.

WhatsApp has denied the allegations. In a statement to the Associated Press, the company said it does not track users nor does it provide “bulk information to any government.”

The cyber conflict also follows an announcement from the U.S. Department of State that they were seeking information on Iranian hackers who they accused of targeting critical infrastructure in the U.S., Israel, and other countries using the IOCONTROL (aka OrpaCrab) malware to breach Industrial Control Systems (ICS).

“Cyber Av3ngers, which is associated with the online persona Mr. Soul, has launched a series of malicious cyber activities against U.S. critical infrastructure on behalf of Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC),” the department’s Rewards for Justice (RFJ) program said.

“Cyber Av3ngers actors have utilized malware known as IOCONTROL to target ICS/SCADA devices used by critical infrastructure sectors in the United States and worldwide.”

Jun 18, 2025Ravie LakshmananVulnerability / Data Protection

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions.

The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” the company said in an advisory.

CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability.

Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole (CVE-2025-23120, CVSS score: 9.9) could be bypassed.

Also addressed by Veeam is another flaw in the same product (CVE-2025-24286, CVSS score: 7.2) that allows an authenticated user with the Backup Operator role to modify backup jobs, which could result in arbitrary code execution.

The American company separately patched a vulnerability that affected Veeam Agent for Microsoft Windows (CVE-2025-24287, CVSS score: 6.1) that permits local system users to modify directory contents, leading to code execution with elevated permissions. The issue has been patched in version 6.3.2 (build 6.3.2.1205).

According to Rapid7, more than 20% of its incident response cases in 2024 involved either the access or exploitation of Veeam, once a threat actor has already established a foothold in the target environment.

With security flaws in Veeam backup software becoming a prime target for attackers in recent years, it’s crucial that customers update to the latest version of the software with immediate effect.

Jun 17, 2025Ravie LakshmananMalware / Cyber Espionage

A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper.

The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3).

Google addressed the flaw later that month after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations.

“The initial attack vector was a phishing email containing a malicious link,” security researchers Stanislav Pyzhov and Vladislav Lunin said. “When the victim clicked the link, it triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff.”

The phishing email is said to have been disguised as an invitation to the Primakov Readings forum – the same lure detailed by Kaspersky – urging users to click on a link that led to a fake website hosting the exploit.

TaxOff is the name assigned to a hacking group that was first documented by the Russian cybersecurity company in late November 2024 as targeting domestic government agencies using legal and finance-related phishing emails to deliver Trinper.

Written in C++, the backdoor makes use of multithreading to capture victim host information, record keystrokes, gather files matching specific extensions (.doc, .xls, .ppt, .rtf, and .pdf), and establish a connection with a remote server to receive commands and exfiltrate the results of the execution.

The instructions sent from the command-and-control (C2) server extend the implant’s functionality, allowing it to read/write files, run commands using cmd.exe, launch a reverse shell, change directory, and shutdown itself.

“Multithreading provides a high degree of parallelism to hide the backdoor while retaining the ability to collect and exfiltrate data, install additional modules, and maintain communications with C2,” Lunin noted at the time.

Positive Technologies said its investigation into the mid-March 2025 intrusion led to the discovery of another attack dating back to October 2024 that also commenced with a phishing email, which purported to be an invitation to an international conference called “Security of the Union State in the modern world.”

The email message also contained a link, which downloaded a ZIP archive file containing a Windows shortcut that, in turn, launched a PowerShell command to ultimately serve a decoy document while also dropping a loader responsible for launching the Trinper backdoor by means of the open-source Donut loader. A variation of the attack has been found to swap out the Donut loader in favor of Cobalt Strike.

This attack chain, per the company, shares several tactical similarities with that of another hacking group tracked as Team46, raising the possibility that the two threat activity clusters are one and the same.

Interestingly, another set of phishing emails sent by the Team46 attackers a month before claimed to be from Moscow-based telecom operator Rostelecom, alerting recipients of supposed maintenance outages last year.

These emails included a ZIP archive, which embedded a shortcut that launched a PowerShell command to deploy a loader that had been previously used to deliver another backdoor in an attack targeting an unnamed Russian company in the rail freight industry.

The March 2024 intrusion, detailed by Doctor Web, is notable for the fact that one of the payloads weaponized a DLL hijacking vulnerability in the Yandex Browser (CVE-2024-6473, CVSS score: 8.4) as a zero-day to download and execute unspecified malware. It was resolved in version 24.7.1.380 released in September 2024.

“This group leverages zero-day exploits, which enables it to penetrate secure infrastructures more effectively,” the researchers said. “The group also creates and uses sophisticated malware, implying that it has a long-term strategy and intends to maintain persistence on the compromised systems for an extended period.”

Jun 17, 2025Ravie LakshmananVulnerability / LLM Security

Cybersecurity researchers have disclosed a now-patched security flaw in LangChain’s LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts.

The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security.

LangSmith is an observability and evaluation platform that allows users to develop, test, and monitor large language model (LLM) applications, including those built using LangChain. The service also offers what’s called a LangChain Hub, which acts as a repository for all publicly listed prompts, agents, and models.

“This newly identified vulnerability exploited unsuspecting users who adopt an agent containing a pre-configured malicious proxy server uploaded to ‘Prompt Hub,’” researchers Sasi Levi and Gal Moyal said in a report shared with The Hacker News.

“Once adopted, the malicious proxy discreetly intercepted all user communications – including sensitive data such as API keys (including OpenAI API Keys), user prompts, documents, images, and voice inputs – without the victim’s knowledge.”

The first phase of the attack essentially unfolds thus: A bad actor crafts an artificial intelligence (AI) agent and configures it with a model server under their control via the Proxy Provider feature, which allows the prompts to be tested against any model that is compliant with the OpenAI API. The attacker then shares the agent on LangChain Hub.

The next stage kicks in when a user finds this malicious agent via LangChain Hub and proceeds to “Try It” by providing a prompt as input. In doing so, all of their communications with the agent are stealthily routed through the attacker’s proxy server, causing the data to be exfiltrated without the user’s knowledge.

The captured data could include OpenAI API keys, prompt data, and any uploaded attachments. The threat actor could weaponize the OpenAI API key to gain unauthorized access to the victim’s OpenAI environment, leading to more severe consequences, such as model theft and system prompt leakage.

What’s more, the attacker could use up all of the organization’s API quota, driving up billing costs or temporarily restricting access to OpenAI services.

It doesn’t end there. Should the victim opt to clone the agent into their enterprise environment, along with the embedded malicious proxy configuration, it risks continuously leaking valuable data to the attackers without giving any indication to them that their traffic is being intercepted.

Following responsible disclosure on October 29, 2024, the vulnerability was addressed in the backend by LangChain as part of a fix deployed on November 6. In addition, the patch implements a warning prompt about data exposure when users attempt to clone an agent containing a custom proxy configuration.

“Beyond the immediate risk of unexpected financial losses from unauthorized API usage, malicious actors could gain persistent access to internal datasets uploaded to OpenAI, proprietary models, trade secrets and other intellectual property, resulting in legal liabilities and reputational damage,” the researchers said.

New WormGPT Variants Detailed

The disclosure comes as Cato Networks revealed that threat actors have released two previously unreported WormGPT variants that are powered by xAI Grok and Mistral AI Mixtral.

WormGPT launched in mid-2023 as an uncensored generative AI tool designed to expressly facilitate malicious activities for threat actors, such as creating tailored phishing emails and writing snippets of malware. The project shut down not long after the tool’s author was outed as a 23-year-old Portuguese programmer.

Since then several new “WormGPT” variants have been advertised on cybercrime forums like BreachForums, including xzin0vich-WormGPT and keanu-WormGPT, that are designed to provide “uncensored responses to a wide range of topics” even if they are “unethical or illegal.”

“‘WormGPT’ now serves as a recognizable brand for a new class of uncensored LLMs,” security researcher Vitaly Simonovich said.

“These new iterations of WormGPT are not bespoke models built from the ground up, but rather the result of threat actors skillfully adapting existing LLMs. By manipulating system prompts and potentially employing fine-tuning on illicit data, the creators offer potent AI-driven tools for cybercriminal operations under the WormGPT brand.”

Jun 17, 2025Ravie LakshmananMalware / Email Security

Cybersecurity researchers are warning of a new phishing campaign that’s targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe.

The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan’s National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News.

The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT.

It’s worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups.

The starting point of the attack is a phishing email that masquerades as messages from the government or business partners, employing lures related to taxes, invoices, and pensions to persuade recipients into opening the attachment. Alternate attack chains have been found to leverage an embedded image that, when clicked, downloads the malware.

The PDF files, in turn, contain a link that redirects prospective targets to a download page hosting a ZIP archive. Present within the file are several legitimate executables, shellcode loaders, and encrypted shellcode.

The multi-stage infection sequence entails the use of the shellcode loader to decrypt and execute the shellcode, which is nothing but DLL files sideloaded by the legitimate binaries using DLL side-loading techniques. Intermediate payloads deployed as part of the attack incorporate anti-VM and privilege escalation so as to ensure that the malware runs unimpeded on the compromised host.

The attack culminates with the execution of “msgDb.dat,” which implements command-and-control (C2) functions to collect user information and download additional modules to facilitate file management and remote desktop capabilities.

Fortinet said it also discovered the threat actor propagating Gh0stCringe via PDF attachments in phishing emails that take users to document download HTM pages.

“The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex,” the company said. “Across winos, HoldingHands, and Gh0stCringe, this threat group continuously evolves its malware and distribution strategies.”

Jun 17, 2025Ravie LakshmananThreat Intelligence / Identity Security

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).

“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at GTIG, said in an email Monday.

“We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

Scattered Spider is the name assigned to an amorphous collective that’s known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the wake of the latter’s supposed takeover of RansomHub‘s infrastructure.

“The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics,” SOS Intelligence said.

“Often described as ‘native English speakers,’ they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.”

Earlier this month, ReliaQuest revealed that Scattered Spider and DragonForce are increasingly targeting managed service providers (MSPs) and IT contractors to obtain access to several downstream customers through a single compromise.

Google-owned Mandiant said the threat actors often single out large enterprise organizations, likely hoping to land a bigger payday.

Particularly targeted are enterprises with large help desks and outsourced IT functions that are susceptible to social engineering attacks.

To mitigate against tactics utilized by the e-crime group, it’s recommended to enhance authentication, enforce rigorous identity controls, implement access restrictions and boundaries to prevent privilege escalation and lateral movement, and train help desk personnel to positively identify employees before resetting their accounts.

Ransomware has become a highly coordinated and pervasive threat, and traditional defenses are increasingly struggling to neutralize it. Today’s ransomware attacks initially target your last line of defense — your backup infrastructure. Before locking up your production environment, cybercriminals go after your backups to cripple your ability to recover, increasing the odds of a ransom payout.

Notably, these attacks are carefully engineered takedowns of your defenses. The threat actors disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes (especially those that are network accessible) and exploit vulnerabilities in integrated backup platforms. They are no longer trying just to deny your access but erase the very means of recovery. If your backup environment isn’t built with this evolving threat landscape in mind, it’s at high risk of getting compromised.

How can IT pros defend against this? In this guide, we’ll uncover the weak strategies that leave backups exposed and explore actionable steps to harden both on-site and cloud-based backups against ransomware. Let’s see how to build a resilient backup strategy, one that you can trust 100% even in the face of sophisticated ransomware attacks.

Common pitfalls that leave backups exposed

Inadequate separation and the lack of offsite or immutable copies are among the most common weaknesses in backup strategies. Snapshots or local backups alone aren’t enough; if they reside in the same on-site environment as production systems, they can be easily discovered, encrypted or deleted by attackers. Without proper isolation, backup environments are highly susceptible to lateral movement, allowing ransomware to spread from compromised systems to backup infrastructure.

Here are some of the most common lateral attack techniques used to compromise backups:

• Active Directory (AD) attacks: Attackers exploit AD to escalate privileges and gain access to backup systems.
• Virtual host takeover: Malicious actors utilize a misconfiguration or vulnerability in the guest tools or hypervisor code to control the hypervisor and virtual machines (VMs), including those hosting backups.
• Windows-based software attacks: Threat actors exploit built-in Windows services and known behaviors across versions for entry points into backup software and backup repositories.
• Common vulnerabilities and exposures (CVE) exploit: High-severity CVEs are routinely targeted to breach backup hosts before patches are applied.

Another major pitfall is relying on a single cloud provider for cloud backups, which creates a single point of failure and increases the risk of total data loss. For instance, if you’re backing up Microsoft 365 data in the Microsoft environment, your backup infrastructure and source systems share the same ecosystem, making them easy to discover. With stolen credentials or application programming interface (API) access, attackers can compromise both at once.

Build backup resilience with the 3-2-1-1-0 strategy

The 3-2-1 backup rule has long been the gold standard in data protection. However, as ransomware increasingly targets backup infrastructure, it’s no longer enough. Today’s threat landscape calls for a more resilient approach, one that assumes attackers will try to destroy your ability to recover.

That’s where the 3-2-1-1-0 strategy comes in. This approach aims to keep three copies of your data and store them on two different media, with one copy offsite, one immutable copy and zero backup errors.

Fig 1: The 3-2-1-1-0 backup strategy

Here’s how it works:

3 copies of data: 1 production + 2 backups

When backing up, it’s critical not to rely solely on file-level backups. Use image-based backups that capture the full system — the operating system (OS), applications, settings and data — for more complete recovery. Look for capabilities, such as bare metal recovery and instant virtualization.

Use a dedicated backup appliance (physical or virtual) instead of standard backup software for greater isolation and control. When looking for appliances, consider ones built on hardened Linux to reduce the attack surface and avoid Windows-based vulnerabilities and commonly targeted file types.

2 different media formats

Store backups on two distinct media types — local disk and cloud storage — to diversify risk and prevent simultaneous compromise.

1 offsite copy

Ensure one backup copy is stored offsite and geographically separated to protect against natural disasters or site-wide attacks. Use a physical or logical airgap wherever possible.

1 immutable copy

Maintain at least one backup copy in an immutable cloud storage so that it cannot be altered, encrypted or deleted by ransomware or rogue users.

0 errors

Backups must be regularly verified, tested and monitored to ensure they’re error-free and recoverable when needed. Your strategy isn’t complete until you have full confidence in recovery.

To make the 3-2-1-1-0 strategy truly effective, it’s critical to harden the environment where your backups live. Consider the following best practices:

• Deploy the backup server in a secure local area network (LAN) environment to limit accessibility.
• Restrict access using the principle of least privilege. Use role-based access control (RBAC) to ensure no local domain accounts have admin rights over the backup systems.
• Segment backup networks with no inbound traffic from the internet. Only allow outbound. Also, only protected systems should be able to communicate with the backup server.
• Employ a firewall to enforce network access controls and use port-based access control lists (ACLs) on network switch ports.
• Deploy agent-level encryption so data written to the backup server is encrypted using a unique key that only you can generate with your own passphrase.
• Disable unused services and ports to reduce the number of potential attack vectors.
• Enable multifactor authentication (MFA) — preferably biometric rather than time-based one-time password (TOTP) — for all access to the backup environment.
• Keep backup systems patched and up to date to avoid exposure to known vulnerabilities.
• Physically secure all backup devices with locked enclosures, access logs and surveillance measures.

Best practices for securing cloud-based backups

Ransomware can just as easily target cloud platforms, especially when backups live in the same ecosystem. That’s why segmentation and isolation are critical.

Data segmentation and isolation

To build a true air gap in the cloud, backup data must reside in a separate cloud infrastructure with its own authentication system. Avoid any reliance on production-stored secrets or credentials. This separation reduces the risk of a compromised production environment impacting your backups.

Use private cloud backup architecture

Choose services that move backup data out of the source environment and into an alternative cloud environment, such as a private cloud. This creates a logically isolated environment that’s shielded from original access vectors, delivering the air-gapped protection needed to withstand modern ransomware. Shared environments make it easier for attackers to discover, access or destroy both source and backup assets in a single campaign.

Authentication and access control

Cloud-based backups should use a completely separate identity system. Implement MFA (preferably biometric), RBAC and alerting for unauthorized changes, such as agent removal or retention policy modifications. Credentials must never be stored in the same ecosystem being backed up. Keeping access tokens and secrets outside of the production environment (like Azure or Microsoft 365) eliminates any dependency on them for backup recovery.

How Datto BCDR secures your backups for 100% recovery confidence

Even with the right strategy, resilience ultimately depends on the tools you choose. That’s where Datto’s business continuity and disaster recovery (BCDR) platform stands out. Datto BCDR offers seamless local and cloud continuity powered by its SIRIS and ALTO appliances and immutable Datto BCDR Cloud. It ensures your backups are always recoverable, even in worst-case scenarios.

Fig 2: How Datto BCDR delivers business continuity

Here’s how Datto BCDR delivers guaranteed recovery:

• Local and cloud redundancy: Datto BCDR provides robust backup appliances that double as local recovery targets. You can run workloads and applications directly on the device during a failure. If on-prem systems are compromised, recovery shifts seamlessly to the Datto BCDR Cloud for virtualized operations, ensuring business continuity without disruption.
• The power of immutable Datto BCDR Cloud: Purpose-built for backup and disaster recovery, the Datto BCDR Cloud delivers unmatched flexibility, security and performance. It goes beyond basic offsite storage to offer multilayered protection, making critical data both safe and instantly recoverable.
• Effective ransomware defense: Datto appliances run on a hardened Linux architecture to mitigate vulnerabilities commonly targeted in Windows systems. They also include built-in ransomware detection that actively scans for threats before any recovery is initiated.
• Automated, verified backup testing: Datto’s automated screenshot verification confirms that VMs can boot from backups. It also performs application-level checks to ensure workloads function correctly after restore, helping IT teams validate recovery without guesswork.
• Lightning-fast recovery options to make recovery seamless include:
  • Features like 1-Click Disaster Recovery (1-Click DR) that make disaster recovery near instant.
  • Secure, image-based backups for full-system restoration.
  • Cloud Deletion Defense™ to instantly recover deleted cloud snapshots, whether accidental or malicious.

Is it time to rethink your backup strategy?

Cyber resilience starts with backup security. Before ransomware strikes, ask yourself: Are your backups truly separated from your production systems? Can they be deleted or encrypted by compromised accounts? When was the last time you tested them?

Now is the time to evaluate your backup strategy through a risk-based lens. Identify the gaps, fortify the weak points and make recovery a certainty — not a question.

Explore how Datto BCDR can help you implement a secure, resilient backup architecture that’s built for real-world threats. Get pricing today.