Video surveillance solutions manufacturer Axis Communications this week has been working to recover from a cyberattack that was first discovered on their network on Sunday.
Although company officials don’t believe that any sensitive customer or partner data was compromised, the attack, which was first reported by IPVM, has still wreaked havoc on many of the company’s services. As of Wednesday afternoon, Axis was reporting that its Camera Station video management, remote access and license systems tools were still experiencing a major outage along with device upgrades for the AXIS OS/apps within the Axis Device Manager software platform.
“As a preventative measure, [the IT team] completely disabled everything public facing – all internet service – in order to eliminate any potential damages from the attack,” Chris Shanelaris, the company’s spokesperson, told SecurityInfoWatch.com (SIW) when reached for comment on Wednesday. “Since then, they have been working to restore all of the affected services and things look good. It looks like they were able to curb things right at the beginning, so it looks like no data was compromised and we’ve just been gradually updating systems and keeping our partners aware.”
Shanelaris was not able to comment on the specifics of the attack, but he did confirm that there is no evidence to suggest that it was the result of a ransomware infection.
Here is a statement Axis provided to SIW in its entirety:
On Feb. 20, our detection systems alerted us of a possible IT-related attack. Investigations began immediately and traces of illegal activity were found. As a preventative measure, we disabled public-facing Internet services in order to limit potential damage from the attack. We’ve been working urgently to restore affected services and preserve the safety of our systems and data. Some systems have been restored and we expect continued improvement over the next few days. We are keeping our partners and customers aware of pertinent updates as available. Status updates can be found at status.axis.com
We have no information about this being a ransomware attack. And the attack appears to have been stopped early on. So far there are no signs that customer information has been affected but we continue to investigate.
Shanelaris doesn’t have an estimate from their IT team as to when services will be fully restored, but he encourages anyone with questions to contact their Axis rep via phone or to check status.axis.com for continuing updates.
Industry Impact
According to Rodney Thayer, Convergence Engineer at Smithee Solutions and an expert in networking use in physical security and infrastructure deployments, the attack against Axis should serve as a reminder to ask security vendors that provide any sort of service through the cloud to follow current best practices surrounding cloud services, including adhering to the Cloud Security Alliance’s guidelines to show public review of said services.
Specifically as is relates to video surveillance, Thayer said organizations need to make sure they are not getting “poison software updates,” ensure that whatever solutions they have that connect to the cloud use sound and secure systems, and confirm that any service they leverage the cloud for, such as video storage or analytics, has the proper protections in place so they cannot become an attack vector for the rest of the business' network infrastructure.
Update: As of Feb. 27th, Axis Communications is reporting on its website that this cyber incident has been resolved. Here is the full "post mortem" of the incident that the company posted on its website:
On the night between Saturday February 19 and Sunday February 20, Axis was the subject of a cyberattack. Using several combinations of social engineering, attackers were able to sign in as a user despite protective mechanisms such as multifactor authentication.
Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services.
Axis threat detection systems alerted incident staff of unusual, suspicious behavior, and investigations began early Sunday morning. At approximately 9 am CET Sunday morning, IT management decided to bring in external security experts and at approximately 12:00 (noon), it was confirmed that hackers were active inside Axis networks. The decision was taken to disconnect all external connectivity immediately as a way of cutting the intruders off.
At 6 pm all network access had been shut off globally. The measure had the intended effect of shutting the intruders off from their access.
It also resulted in a loss of external services for Axis staff, such as in- and outbound email. Partner services were also affected with axis.com and extranets being unavailable.
Investigations rapidly showed that parts of the server infrastructure had been compromised while other parts remained intact.
Forensic work and projects to clean and restore the affected components began immediately with the intention of rapidly and gradually coming back to normal operational status.
Global production and supply chain remained largely unaffected through the entire period.
Our first customer facing services were made available Sunday evening, February 20.
Gradually in the days that followed, more and more external services were cleared and made available online again, including commercial services, main parts of axis.com and email services.
Status Sunday February 27 is that most external facing services have been restored with some still awaiting security clearance. Regarding internet facing services, Axis currently operates in a restricted mode. This will continue as long as the forensic investigation is ongoing and until the cleaning and restoration is completed. This mainly affects our internal work streams and has very limited effect on customers and partners. We expect the final parts of our customer facing services to be completely available within a few days.
Findings So Far
No servers have been found to be encrypted but we found malware and indications that internal directory services were compromised. No customer information has been found to be affected in any way. In total, we find limited signs of damaging consequences aside of the general embarrassment and productivity loss as we clear services for production step by step.
The attackers used multiple methods of social engineering to gain access despite our security mechanisms. Improvements already undertaken are changes that reduce the risk of human error. The technical security mechanisms have been raised in general across the board to limit the risk of any similar future event. The effect is increased security at the cost of slightly less smooth workflows.
It is a regrettable fact that no company is entirely safe from the risk of cyber intrusions. Our strategy remains the same. We aim to provide real security through several different types of protection:
- We prevent threats and attacks with automated and systematic monitoring
- Intrusions are made difficult while keeping operational efficiency high
- Potential intrusions must be detected early to stop further damage
- And in case of severe problems, we provide rapid and reliable restoration of services.
Needless to say, we are humble in the face of and due to the gravity of the situation. We are also grateful that we were able to catch and stop an ongoing attack before it had much more lasting effects.
We will come back with more information if our ongoing investigation uncovers events of further relevance.
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].