Video surveillance solutions developer Axis Communications this week has been working to recover from a cyber attack that was first detected on their network on Sunday.

Although company officials do not believe that any sensitive customer or partner data was compromised, the attack, which was first reported by IPVM, still caused damage to many of the company’s services. As of Wednesday afternoon, Axis was reporting that its Camera Center video management, remote access tools and licensing systems were still experiencing major bugs with the AXIS OS device/software upgrade within the AXIS Controller software platform. Axis device.

“As a preventive measure, [the IT team] completely disabled everything public-facing — all Internet services — to eliminate any possible damage from the attack,” Chris Shanelaris, a spokesman for the company, told SecurityInfoWatch.com (SIW) when reached for comment Wednesday. “Since then, they’ve been work to restore all affected services and things seem to be good. It looks like they were able to get things under control at first, so it looks like no data was affected and we’ve just been gradually updating systems and notifying our partners.”

Shanelaris could not discuss the specifics of the attack, but confirmed that there is no evidence that it is the result of a ransomware infection.

Here is the statement Axis released to SIW in its entirety:

On February 20, our detection systems alerted us to a possible IT-related attack. An investigation began immediately and traces of illegal activities were found. As a preventive measure, we shut down public Internet services to minimize the potential damage from the attack. We have been working quickly to restore affected services and preserve the security of our systems and data. Some systems have been restored and we expect continued improvements over the next few days. We keep our partners and customers informed of important updates as they become available. Status updates can be found at status.axis.com

We have no information about this being a ransomware attack. And the attack seems to have been stopped early. So far there is no indication that customer information has been compromised but we are continuing to investigate.

Shanelaris does not have an estimate from their IT team as to when services will be fully restored, but encourages anyone with questions to contact their axis representative by phone or check status.axis.com for ongoing updates.

Factory Effects

According to Rodney Thayer, Convergence Engineer at Smithee Solutions and an expert in the use of networks in physical security and infrastructure deployment, the attack against Axis should be a reminder to ask security vendors who provide any kind of service through the cloud to follow current best practices . surrounding cloud services, including following the Cloud Security Alliance’s guidelines to expose public audits of those services.

Especially as it relates to video surveillance, Thayer said organizations need to make sure they don’t get “toxic software updates,” make sure any cloud-connected solutions they have use sound and secure systems, and verify that any service they use. cloud for, such as video storage or analytics, has proper protection so they cannot be a transmitter of attacks to other business network infrastructure.
Update: As of February 27, Axis Communications reports on its website that this cyber incident has been resolved. Here’s the full “post mortem” of the incident that the company posted on its website:

In the night between Saturday February 19 and Sunday February 20, Axis suffered a cyber attack. Using several combinations of social engineering, attackers were able to log in as a user despite defense mechanisms such as multi-factor authentication.

Internally, attackers used advanced techniques to increase their access and eventually gain access to directory services.

The axis’ threat detection systems alerted scene workers to unusual, suspicious behavior, and an investigation began early Sunday morning. At around 9 am CET on Sunday morning, IT management decided to bring in external security experts and at around 12:00 (noon), it was confirmed that hackers were working inside Axis networks. A decision was taken to cut all external connections immediately as a way to cut off intruders.

At 6pm all internet access was shut down around the world. The move had the intended effect of locking out intruders from their access.

It also caused the loss of external services for Axis employees, such as internal and external email. Affiliate services were also affected with axis.com and extranets unavailable.

Investigations quickly showed that parts of the server infrastructure had been compromised while other parts remained intact.

Investigation work and projects to clean up and restore the affected components began immediately with the intention of a rapid and gradual return to normal operating conditions.

Global production and distribution remained unaffected throughout the period.

Our first customer facing services were available on Sunday evening, February 20th.

Gradually over the following days, more and more external services were taken down and brought back online, including commercial services, axis.com’s main sections and email services.

The situation on Sunday February 27 is that many external services have been restored while some are awaiting security clearance. As for internet-facing services, Axis is currently operating in a restricted mode. This will continue as long as the forensic investigation continues and until the cleanup and restoration is complete. This mostly affects our internal workflows and has very little impact on customers and partners. We expect the final parts of the customer-facing services to be fully available in a few days.

Results So Far

No servers were found to be encrypted but we did find malware and indications that local directory services were compromised. No customer information has been found to be compromised in any way. In general, we experience few signs of side effects other than general embarrassment and loss of productivity when we phase out productive services.

Attackers used many social engineering techniques to gain access despite our security systems. Improvements already made are changes that reduce the risk of human error. Technical security measures have been generally promoted throughout to reduce the risk of any such future incident. The effect is increased security at the cost of slightly smoother streaming.

It is a sad fact that no company is completely safe from the threat of cyber attacks. Our strategy remains the same. We aim to provide true security through a variety of protections:

    1. We prevent threats and attacks with automated and systematic monitoring
    2. Interventions are made difficult while keeping operational efficiency high
    3. Potential interference must be detected early to prevent further damage
    4. And in case of serious problems, we provide fast and reliable service restoration.

Needless to say, we are humbled by the gravity of the situation. We are also grateful that we were able to catch and stop the ongoing attack before it had more lasting effects.

We will come back with more details if our ongoing investigation uncovers more significant events.

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at joel@securityinfowatch.com.



Source link