.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Backup server compromise thwarted
Organization: Environmental Consulting industry, 250–300 employees, Alberta, Canada
Solution: Sophos MDR, Sophos Firewall
Adversary behavior
A threat actor gains access to the customer's environment using a dormant service account to authenticate through a suspicious SSL VPN login to the customer's Sophos firewall from an out-of-region IP address. Once inside, the attacker targets the Veeam backup server, attempting to create a new user account with administrative privileges—positioning themselves to compromise critical backup infrastructure and potentially launch ransomware or data exfiltration attacks.
Threat detection
Sophos MDR detects suspicious activity on the customer's Veeam backup server, where system commands are attempting to create a new user account with administrative privileges. While this could resemble routine IT behavior, it is paired with a suspicious SSL VPN login using a dormant service account from an out-of-region IP address—clear indicators of an active compromise.
Investigation
Sophos MDR analysts quickly correlate the VPN authentication anomaly with the backup server activity, confirming that the attacker is attempting to establish persistent administrative access to critical backup infrastructure. The use of a dormant service account and out-of-region IP strongly indicates credential compromise and malicious intent.
Response
Because the customer has enabled Sophos MDR's "Authorize" response mode, analysts immediately execute containment actions on their behalf. Even before the customer becomes available, MDR terminates the malicious VPN session, disables the abused account, and isolates the backup server, fully severing the attacker's access and preventing any chance of escalation or lateral movement. When the customer connects with MDR shortly after, they confirm these are outdated legacy accounts. With Sophos MDR's guidance, they reset the credentials, block the attacker's IP, deploy MFA to VPN users, and upgrade the Veeam Backup Service to the latest secure version. By acting the moment the threat emerges, Sophos MDR neutralizes the attacker's foothold and protects the customer from a breach that may have gone undetected—or unchecked—by technology alone.