TH16121
Detected presence of software components that can tamper with the system backup functions.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Operating systems provide utilities that allow the users to have their data automatically backed up. Backups provide resilience against incidents of material data loss through hardware corruption, or unintended file deletion. Financially motivated attackers often aim to disable backup systems and delete all instances of previously backed up data. Malicious code that typically exhibits these behavior traits is commonly referred to as ransomware. Ransomware aims to encrypt all user-generated data asking for monetary payment in return for providing the access back to its victims. While the presence of code that disables backup systems does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can temporarily disable backups. One example of acceptable use for such functions is allowing the user to reduce their storage footprint in case data backups are no longer needed.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1490 - Inhibit System Recovery.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1490 - Inhibit System Recovery (External resource - Mitre ATT&CK documentation)
- Backup (External resource - Wikipedia)