Kellman Meghu, principal security architect at Canadian-based risk management firm DeepCove Cybersecurity, said the worry is how the vulnerabilities could be used by a threat actor to get root privileges to the backup, “which is the worst it can get as far as compromise. From the sounds of the exploit, just being able to update a config file could be the avenue for executing malicious commands at the highest privileges.”
Admins who can’t patch quickly, or who have been running unpatched versions for any length of time, should first audit all config files and operations to ensure there have been no changes to the config files or execution of additional unexpected actions. Alerts should be set for every backup process run, so it is closely monitored until the suite can be patched.
“Keep in mind,” he added, “if you do see unusual behavior, it is a sign that there is a malicious actor or inside threat operating, and you would need to take a holistic incident response.”
