Keep ACPHO backups localized only with no cloud storage access
Is it possible to completely remove the potential for signing up to cloud storage services or to eliminate your cloud account if you are just using Acronis Cyber Protect Home Office backups for local storage on your home network?
Reason I ask is recently seeing users with weak passwords having their Acronis [cloud] account breach and hackers setting up cloud account storage services and backing up your home data up to the cloud ultimately for them to retrieve unknowingly to the user.
Here's just 1 instance that got me thinking on this... (unfortunately I can't post links here but if you google for "reddit acronis Someone just backed up all my financial data to the cloud without me knowing" you'll get to see what I'm seeing.
Is that the case then that ultimately the strength of your Acronis password for the ACPHO account the only thing that stands in the way of someone doing this? I'm also not seeing any MFA/2FA that we can use to protect our account password either. Granted, this particular user was using a password that already on a list for credential stuffing but still leaves me with concerns.
Any help/suggestions would greatly be appreciated and thanks!
Hi Steve...
Thank you for your reply.
Just to be clear, the scenario would be if your personal Acronis cloud account was to be breached on your own personal PC ( not Acronis getting hacked, although that's not out of the question nowadays either ) the bad actors could potentially use Acronis cloud services and restore your data there and retrieve it although you only intended to run these backups/restores locally.
Therefore, it is absolutely critical that your Acronis cloud account have a strong password so that this can NOT be done. It's also unfortunate that Acronis doesn't provide MFA for your account either which is another layer of security ... this would greatly reduce the likelihood of something like this happening.
For me, this is a show stopper and unacceptable level of risk of my data.
John, some comments.
- If you do not store your backups in / use Acronis Cloud storage then there is no option for any 'bad actors' to access or restore anything.
- If your personal Acronis cloud account was to be breached on your own personal PC then potentially the PC is already infected with some form of malware or credential stealing software / virus - however - any if you did use Acronis Cloud storage then it is strongly recommended to encrypt such backups stored in the cloud with a strong password that bears no relation to your Acronis account credentials, so that anyone gaining access to the account would still encounter encrypted data and be unable to copy, download or restore anything without providing the password (phrase / string etc) used to encrypt it.
- Many users have asked Acronis to have 2FA / MFA for their Acronis Accounts but this has not been provided to date!
"1. If you do not store your backups in / use Acronis Cloud storage then there is no option for any 'bad actors' to access or restore anything."
... So is what you're saying is that if ( by whatever means ) these bad actors have your credentials there would be no way for them to subscribe your account to a cloud service storage account ( pay for it themselves ) and push a backup to the PC to use the cloud storage to successfully create a backup and then retrieve to an alternate location from there?
Here was the original article posted on reddit that got me thinking about this...
Someone just backed up all my financial data to the cloud without me knowing!
I believe I've been a target of an Acronis cloud-based attack! This is a warning for all Acronis users to check your backups for surprise jobs!
I assume someone guessed or hacked my password into my acronis web account (and there's no email notitication to me and they don't have 2FA!). From there, they registered my account for " Acronis Cyber Protect Home Office 1 Computer Advanced 250GB Cloud" storage. I received that email while I was at work. About 15 minutes after the registration, a job was pushed to my home PC to backup anything with the word "Financials" or Bitcoin or Coinbase or PASSWORD in the name up to the cloud! ...and it succeeded! (and a few others, there was two jobs created).
I didn't notice this until after dinner, changed my password, tried to delete the job andthe cloud backup-- but it has FAILED! All I can do is modify the job not to be scheduled and unselected all the files (except one dummy file). My personal financial data is still on the Acronis cloud. I opened a support case, but still waiting.
I believe my info was exposed for 12 hours to anyone who did this or had access to my cloud account to push this job to me. Everything from bank accounts to social security and wallet backups and recovery phrases. I am not sleeping tonight. I have a lot to do.
I never asked for for cloud <expletive>.
John, I have no idea how such an attack could have taken place without the original PC having been compromised in the first place.
I have looked at the options in the Acronis Online Dashboard and the only destination options offered are the Acronis Cloud or else Local Folders. I tried to add a new backup via the dashboard to my own NAS and got an immediate error.
There is an easy / simple way to prevent this type of attack (assuming the PC is not already compromised / infected by malware), which is to stop & disable the Acronis Managed Machine Service Mini background service - that is the service that communicates with the Online Dashboard, so if it isn't running then no attack is possible from the same.
John, I have no idea how such an attack could have taken place without the original PC having been compromised in the first place.
Steve -> [Respectfully], you seem to keep reverting to the fact that somehow the PC is compromised. I however keep reiterating the simple fact that their login/password simply got compromised because let's just say for arguments sake, they used the same credentials on other sites that did get compromised leaving them opened for credential stuffing attacks on the Acronis website. Can we agree on this? I mean, it could also be that someone wrote down their login/password on a piece of paper (whether they were at work or home) and someone got it maliciously. There are many possibilities that can happen here without your PC having a malware attack. So, let's continue, with the Acronis login/password in the hands of the bad actor...
I have looked at the options in the Acronis Online Dashboard and the only destination options offered are the Acronis Cloud or else Local Folders. I tried to add a new backup via the dashboard to my own NAS and got an immediate error.
Steve -> Why would you not choose the Acronis Cloud? After all, that's what a bad actor would want to do. Once it's in the cloud they would be able to view and/or restore to different hardware. Why would a bad actor want to back up your data to a local NAS? Once again, I ask that you put on your bad actor hat :) and test out the plausibility of this happening.
I don't have a cloud subscription to test this out... that's why I was hoping to post it here on the forums for someone who can answer this.
There is an easy / simple way to prevent this type of attack (assuming the PC is not already compromised / infected by malware), which is to stop & disable the Acronis Managed Machine Service Mini background service - that is the service that communicates with the Online Dashboard, so if it isn't running then no attack is possible from the same.
This could be the answer I was looking for. If this effectively allows local backups only to take place and render the dashboard inoperative then that's the answer.
++++++++++++++++++++++++++
Again, my biggest concern here is using ACPHO software for local backups only and not realizing that you can be subjected to having all of your PC data stolen simply because someone got a hold of your Acronis credentials/created a cloud service account under your subscription/and is able to access your critical data by them backing it up to the cloud without your knowledge.
++++++++++++++++++++++++++
I will see if you have any additional details to add here or perhaps someone from Team Acronis. I'm also willing to perform these steps myself (acting as a bad actor and paying for a cloud service account as though they would) and see how far they can get with my data which I now only backup locally to my 2 NAS storage devices on my home network. (I really didn't want to pay the subscription costs to test this when I thought throwing this out on the forums would answer my question. I thought this would be an open and shut case with the answer being, yeah, you need a strong unique password otherwise this can happen).
+++++++++++++++++++++++++++
Steve -> Thank you for all the hard work you put in on these forums in support of the Acronis platform. Very much appreciate your time and detailed responses provided on helping this forum succeed.
John, there is definitely a need for Acronis to provide the option for users to have 2FA or MFA for their Acronis account access, especially as by not doing so they open the possibility for data in a compromised account to be accessed, assuming that the user does not use password encryption for such cloud backups - but even then, if a hacker can get access to the Acronis online dashboard when the user PC is shown as online, then there remains the option for the hacker to create a new Backup task to the compromised Acronis Cloud and thus access user data in that way.
There are a lot of 'IFs' in the above scenario but it is not an impossible scenario, especially if users practise poor password management or use the same passwords across multiple different services etc.
I would suggest escalating this issue by sending an email to Arpita Ghosh who is the Acronis Product Manager for these home office products! (Arpita.Ghosh@acronis.com). You could include a web link to the original reddit web post for the issue raising this concern.
Note: although I am gifted storage in the Acronis Cloud by virtue of being an MVP, I do not use this for my own data other than for testing other user scenarios, plus I have the Acronis MMSM background service disabled following other issues that this can give rise to! I have previously raised issues with Acronis about my system being shown in the online Dashboard despite my manually deleting them because the MMSM service got reactivated by a update etc!
I do not use cloud for anything, but I decided to look into the Acronis ACPHO documentation about this stuff. The interesting section is in the chapter Protecting Family Data.
I would have to agree that 2FA/MFA is a must have for better security.
What I cannot discern is to what extent the cloud servers can verify the device itself. That is, assuming a certain device is part of the "family", can a bad actor create another device to take the identity of the real device and therefore run a backup of an infected computer, remove the bad PC and restore the identity of the real PC and run a restore?
Since any device added under the account must have ACPHO installed, is there a unique key for that device? Is that key hidden such that access is not seen from the server?
Assuming the Acronis server has not been hacked while the user's account is compromised, is there much more that a bad actor could do than initiating backups and recoveries. Could he pull a backup to another location? Can he push a backup to the cloud?
John, I look forward to the results of any experiments you do.
Meanwhile, I'm with Steve. I disable the MMSM service.
The Acronis Cloud Backup Download tool could (arguably) be used to download a previously created back to a "foreign" computer. All you need are the user name and password. So somehow someone gains access to the computer, makes a cloud backup, and once it is completed then uses the tool to download it.
As a proactive measure, I logged into my Acronis account and opened the Dashboard. I have four machines and saw about three entries for each of the four machines. Most of them indicated that the machine had been offline for a very long time (because I run with MMSM disabled). But I did find one machine where it was not disabled and I took care of that. I then went through to delete these machines from the dashboard.
One machine has an old ATI 2018 installed, two have ATI 2019 and one has the latest ACPHO. When I did this last night I found that the machine running ACPHO would periodically reappear in the dashboard as that machine was on yet with MMSM disable. This morning, the machine is asleep and not in the dashboard. I suspect something different with ACPHO which causes it to appear.
I think it appropriate for Acronis to include the Cloud Dashboard feature as something to selectively install. As it is, MMSM gets enabled on every update or repair install and then it gets back into the dashboard.
Bruno, this is one reason why I only run ACPHO on my VM's where I keep no personal data etc and also one reason I submitted a support case last year about my machines reappearing in the dashboard despite my neither wanting them to do so and having manually deleted them!!!
The following was the response from Acronis for my support case:
I can understand your concern in this matter. As mentioned earlier, I did follow up with Development Team of Acronis and they have confirmed that as per the design of Acronis application the device will get detected under Dashboard as and when the machine is connected to internet even if it was deleted manually before. I believe, there might be some issue with Acronis True Image 2020 due to which the manually deleted devices did not appear back under Dashboard even after connecting to internet.
I completely accept the point that the manually deleted device under Dashboard should not re-appear unless user manually permits for the operation. I discussed the situation with my Manager and with his approval/permission, I have placed a request directly to Development Team of Acronis to consider this request and add the functionality within Acronis application (To give the choices to add or remove device manually and no operations without user's interaction).
Development Team of Acronis who actually goes through multiple levels such as analysis, recreation of the issue, testing, preparing a patch or solution, deployment etc which basically involves a duration of time to complete the procedure. No ETA can be promised at this stage however sooner we can expect such a feature implemented within the application.
Needless to say that nothing has changed so far with ACPHO.
I'm thinking this might be a good enhancement to the MVP Assistant... to detect whether the MMSM service is running or not, and give the user a very easy way to turn it on or off. Handling services has always been in the back of mind but it might be time to get serious.
Just reviewing this post. While I agree that MFA/2FA is something that Acronis should implement I believe that the root cause of what is reported to be that of stolen credentials from the user who posted on reddit. Vigilance in protecting credentials is essential and is ultimately the users responsibility.