Over 13,000 iSCSI storage clusters are currently accessible through the internet after their respective owners forgot to enable authentication. The new attack vector opens the backdoor inside enterprise disk storage arrays and peoples NAS devices.
ISCSI stands for Internet Small Computer Systems Interface and is a protocol for linking workstations and servers to data storage devices, such as disk storage arrays and network attached storage (NAS) devices. Disk storage arrays are usually found in data centers and large enterprises while NAS devices are found in people’s homes and small businesses.
This problem has the risk of causing some serious harm to the devices’ owners, as cyber-criminal groups could access their hard drives and replace their files with malware, steal company information or insert backdoors inside backups. ISCSI is a core component and its main purpose is to allow the operating system to view and interact with a remote storage device instead of an IP-based accessible system. This is a crucial part of many data replication solutions.
The date these systems work with are sensitive so the iSCSI protocol supports various authentication measures, which device owners can set up to prevent unauthorized parties from connecting to their storage cluster and gain access to the storage devices. The problem lies with a small portion of these internet connected device owners (routers, databases, web servers) that failed to follow a minimum of security measures, and have left their storage choice exposed without authentication.
Recently a penetration tester A Shadow discovered this hugely dangerous misconfiguration issue. The researcher found over 13.500 iSCSI clusters on Shodan, a search engine that indexes internet connected devices. This process is described as a dangerous backdoor that can allow cyber-criminals to plant ransomware-infected files on companies’ networks, steal data or place backdoors in the company’s backup files. Some of the passwordless accessible storage files belonged to a YMCA branch, a Russian government agency and multiple universities and research companies around the world.
Outside of Shodan, such systems may be a little harder to spot during short lookups but a cyber-criminal gang looking to gain big ransom payouts will be willing to thoroughly research each exposed iSCSI cluster for its next big hit.