This article provides advice on how to monitor networks and systems for potential indicators of compromise relating to recent agent pairing vulnerabilities.
Details regarding agent pairing vulnerabilities can be found in the open letter. Understanding that partners may wish to monitor networks and protected systems for signs of compromise, we have established this guideline. The Datto ShadowSnap and Datto Windows Agent software network services run on TCP/25566 and TCP/25568 respectively. With that knowledge, the below methods of monitoring may prove useful.
Network traffic monitoring
If network traffic logs or flow data exist, and contain information about connections to systems running a Datto agent, then a review of those artifacts could determine if any connections have been made to the device from a non-Datto appliance IP.
A successful network connection from a non-Datto IP does not implicitly mean that an agent was compromised. It only serves as a leading indicator that an unexpected system has made a connection with the agent on its service port, and is worth investigating further.
This method of investigation may lead to false positives, especially if there are authorized hosts within the network that conduct service scanning (i.e. an nmap scan enumerating tcp ports on all network connected systems, a vulnerability scanner, etc.).
Agent backup behavior
For Datto Windows Agent hosts, the leading indicator of compromise you can monitor for is an agent failing backups. When a Datto appliance is paired with an agent and then the agent pairing relationship is severed, you will receive notifications of backup failures from the legitimate Datto appliance for that affected agent. These backup failure notices will persist until you re-pair the legitimate Datto appliance with the agent.
Agent log assessment
For ShadowSnap agent hosts, there is a log file that you can monitor to see if pairing requests have been made from an IP that does not belong to the legitimate Datto appliance.
C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\log\raw_agent.log
In the below log sample, the response to the pair request was an HTTP 201, which indicates success. All attempts from the non-Datto IP may warrant investigation despite the response code as it indicates an attempt to pair, which should be viewed as unusual from a non-Datto appliance IP:
11/07 08:28:31 cherrypy.access.105115600(280) <INFO>:10.1.23.159 - datto [07/Nov/2017:08:28:31] "POST /pair HTTP/1.1" 201 2 "" "PHP/7.0.4-7ubuntu2.1 (CLI; automated bot request)"