Hackers used Super Admin level login credentials to compromise and distribute footage from enterprise security camera system company Verkada. We've recently learned that these Super Admin login credentials are thought to have been not adequately guarded and the principle of least privileged access was allegedly not implemented across the organization. The investigation into this incident is still in progress.
Real-world pictures and videos from jails, health clinics, banks, gyms, offices, schools from 150,000 live cameras were accessed. Tesla and web infrastructure company Cloudflare are some of the more high-profile companies that had footage compromised by the hackers.
Per Bloomberg's initial report, the breach was conducted as a demonstration by an international hacker collective (that calls themselves Advanced Persistent Threat 69420), who wanted to show the pervasiveness of video surveillance and the ease with which systems could be broken into.
Cyber experts from around the industry weighed-in on this latest high-profile breach that has significant data privacy, compliance and future of security implications.
Asaf Hecht, Cyber Research Team Leader, CyberArk:
“The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer. While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact. And while Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”
Jason Bevis, AVP Awake Labs, Awake Security:
“The Verkada breach highlights the dangers of unmanaged IoT. Endpoint technologies — while crucial for many functions in a SOC — do not provide the complete picture. Understanding an enterprise’s true attack surface requires more than solely surveying devices in your inventory. Identifying and responding to IoT threats relies on the use of NDR’s, which provide complete visibility of an organization’s full attack surface.”
Art Gilliland, CEO, Centrify:
"The Verkada camera breach incident is a prime example of the impact compromised credentials can have. Not only can this type of infiltration harm the breached supplier, it can put customers and, more importantly, the people they serve, at risk. In this instance, images and videos of corporate offices and even medical patients being treated are being leaked. This type of breach can have physical security implications as well by giving people inside looks at office layouts and possibly even security systems. To prevent similar breaches from happening in the future, organizations should implement modern privileged access management (PAM) to reduce the risk of this kind of exposure. By leveraging existing enterprise identity infrastructure to enforce least privilege access for humans and machines, taking a Zero Trust authentication approach, and minimizing the use of shared accounts, organizations can provide a more granular level of access control while also increasing accountability and reducing the overall threatscape, including attack surfaces such as security cameras.”
Mike Nelson, Vice President of IoT Security at DigiCert:
"While this issue exposed an admin/password on the web which happened to be a super-user, connected security cameras have been a target for hackers for some time, and it’s unfortunate to see vulnerabilities still exist with some manufacturers. Adding security to devices already in the field is much more challenging than planning for security during design and development of a product. Though we have seen progress when it comes to addressing cybersecurity for connected systems, there is still much work that needs to be done to raise awareness and promote best practices with the manufacturers building the devices, and also with consumers and businesses that are buying these devices."
Joseph Carson, chief security scientist and Advisory CISO at Thycotic:
“It is very unlikely that this attack would lead to a threat attack vector against endpoints unless the attacker is able to gain remote access to the security camera and then laterally move onto other systems on the same network. However, I really hope the camera feed is one direction. In some niche cases the attacker might be able to see what they are typing on the keyboard such as passwords and credentials. This attack is mostly a security incident that targets sensitive data such as it could be used for facial recognition to identify who works in or visits the location. This attack could also be used for Intellectual property theft to determine the techniques and processes used. The attack is mostly an incident related to data loss.
To reduce attacks like this it is critical to take privileged access seriously and it must be a top priority for organizations to have better controls and requirements. Moving to the Principle of Least privilege where access is on demand when authorization is approved.”
Jeff Costlow, CISO, ExtraHop:
"There are a number of serious implications to a hack that gains access to security camera footage. Even if the security cameras themselves didn’t use facial recognition, facial recognition software could easily be applied to footage like this to determine who was in the facility.
Then there’s the issue of video and photo manipulation. Deepfakes are becoming increasingly common. Could this footage be manipulated to make it seem like someone was in a facility when they shouldn’t have been? Or make it appear that they have a health condition? You can imagine the reputational harm that could be caused by something like this."
Ami Luttwak, CTO, Wiz and former lead of Microsoft’s Cloud Security Group:
"The hack disclosed yesterday at Verkada is yet another reminder for the risks of supply chain attacks. This time we saw hackers leverage a public administrative interface to take over cameras at hundreds of locations. The attackers managed to get root access on the devices, meaning they could potentially leverage the cameras as a starting point for a network attack. Just as we saw in the SolarWinds attack, 3rd party systems deployed in the network should have minimal privileged to reduce the risk in case of a supply chain attack."
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security:
“If one conceptualizes the security requirements of an organization around the “digital chain of custody” – securing all elements of the digital chain of security is critical – Data, Infrastructure, Device, Endpoint, Application and Identity. Each one of those elements presents potential gateways to a breach. This breach is illustrative of how multiple simple gaps across multiple elements of the “digital chain of custody” can be combined to orchestrate a significant breach. In this case, the fact that the super-admin account information was freely available and the fact that missing security controls on the device are considered “by-design”, point to how a combination of security gaps across the “digital chain of custody” resulted in such a significant breach.”
Tim Mackey, Principal Security Strategist, Synopsys CyRC:
“Whenever you deploy an internet connected device, there is always the potential for unauthorised access. If that internet connected device includes some form of monitoring by its supplier, then the risk of compromise increases due partly to a lack of control over authorization. In the case of the compromise of Verkada cameras, attackers were able to access administrative credentials for a significant portion of the Verkada camera network. That Verkada were able to revoke the attackers access as one form of remediation doesn’t imply that remote monitoring was disabled – only that the previous credentials were invalidated. It also doesn’t imply that the attackers weren’t able to change the software configurations within the camera or even potentially install other software. To protect against latent compromise, operators of Verkada cameras should reflash each camera with a known good copy of the firmware, as well as look for any indications of compromise on monitoring systems. They then should ensure that the camera network is isolated from the internet, or if that isn’t possible, implement firewall protections to ensure that remote access only occurs from known locations over expected ports.”
Rick Holland, Chief Information Security Officer at Digital Shadows and former Forrester Research analyst:
“Verkada positions itself as a "more secure, scalable' alternative to on-premises network video recorders. The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers. You don't always get more secure when you outsource your security to a third party.
The video leak is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information. GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon.
The intrusion also highlights the need for internal cybersecurity and physical security teams to be integrated or closely aligned. The lines between these two functional areas are blurred as more and more physical security controls make their way to the cloud.”
Hank Schless, Senior Manager, Security Solutions at Lookout:
“It’s noted that the attackers were able to gain access to Verkada’s infrastructure through a “Super Admin” account. It’s very likely that this was done through a phishing attack that was made more convincing through social engineering.
Targeted phishing attacks are known as spearphishing attacks. Malicious actors will oftentimes use publicly available information in places such as social media profiles to build a convincing campaign targeting an individual. Spearphishing attacks are particularly effective on mobile devices where an attacker can phish the individual over voice (vishing), SMS (smishing), and other personal channels outside the controls of traditional perimeter-based security tools. In both of these situations, an attacker can socially engineer their way into convincing the target to share login credentials with them.
Attackers have also been known to target lower-level employees and phish their credentials, only to move laterally through the infrastructure once they have access. If the organization doesn’t have certain protections in place in their infrastructure, the attacker could escalate their own privileges in order to gain admin access.”
Josh Bohls, Founder, Inkscreen:
"While this breach is related to IOT security cameras, it underscores the importance of protecting and managing multimedia content (photos, videos, audio recordings) that employees capture. This is especially critical when it comes to mobile devices; the photos and videos captured on the job are often left unprotected and outside the sphere of IT control."
Ralph Pisani, president, Exabeam: "Once more, we are watching a broad-scale cyberattack affect large organizations, healthcare systems, schools and even detention centers. There's little doubt there will be even more organizations affected, despite the industry just recently learning about the SolarWinds breach, where we failed to deploy best practices to safeguard credentials and digital identities. The Verkada breach is especially dangerous because the hackers used stolen credentials to obtain root access on the surveillance system. This provides the potential for lateral movement, which means they could execute their own code and steal sensitive data stored elsewhere on the network. This has serious implications for individuals and enterprises, so we must do more to safeguard credentials as they remain the most valuable asset for malicious actors. We do this by teaching proper credential protection through security awareness training, including using multi-factor authentication. We can also employ security solutions that protect email servers, but individuals should also know how to accurately spot phishing emails in both personal and professional email accounts. Organizations can use proactive threat intelligence to identify campaigns targeted at them and behavioral analytics technology to reliably distinguish normal user behavior from the abnormal activity of attackers, to identify and remove intruders from the network. Exabeam advocates strongly for alert and aware cyber citizenship, and we share these suggestions to educate the community, while fulfilling the mission of helping security teams to outsmart the odds."
Ray Canzanese, director of Netskope Threat Labs, Netskope:
“Unfortunately, we see a lot of companies who don’t apply multi-factor authentication to super-admin accounts with root privileges. This type of hack is preventable if companies have tighter control over super admin credentials to prevent leaks, use multi-factor authentication to prevent leaked or stolen credentials from being used, and monitor access to detect things like failed log-in attempts which can be a precursor to unauthorized access. These types of attacks are becoming more common as more organizations move to cloud and don’t have the policies or measures in place to secure a cloud-first environment.”
Asaf Karas, co-founder & CTO, Vdoo:
“This recent attack exploited hardcoded credentials in the cloud-based backend infrastructure that Verkada's cameras connect to for management and storage. This shows the importance of configuration security and proper hygiene of deployment environments. It is further evidence of the current gap in application security tools that do not address these issues. It also highlights the importance of conducting supply chain security assessments on third-party devices. We’ve seen a wave of supply chain attacks in which a vendor's compromised asset is actually the means to attack the real target – their customers' networks.”
Andrea Carcano, co-founder, Nozomi Networks:
“In this incident, the attackers found an account that had the rights to access the data of several customers, this is clearly an insecure design. When you choose a cloud based service, it’s important to do some due diligence that is slightly different to than the due diligence used with on prem solutions. Cloud SaaS providers are potentially concentrating data from many customers in a single place, you need to verify with the provider that a thorough separation of data is in place.You should also verify the vender which intrusion detection capabilities and incident response measures are in place. Cloud providers aren’t immune to attacks, but they can be detected early and stopped before they can do harm.
IoT security cameras are extensively used by industry and the critical infrastructure sector. According to research firm Markets and Markets, the global video surveillance market size is expected to grow from US $45.5 billion in 2020 to US $74.6 billion by 2025. The infrastructure sector—including transportation, city surveillance, public places, and utilities, is expected to grow at the highest CAGR during that period.
Given their prevalence and growing use, it’s important to understand the security risks of IoT cameras. We urge you to take measures to prevent unauthorized access to audio/video streams and CCTV user credentials. Failure to do so could result in privacy, confidentiality, and business harms.”
Mark Bower, senior vice president, comforte AG:
“The new generation of high-tech growth innovators born in the cloud and disrupting industry can’t only rely on traditional security approaches based on perimeter controls, container or transit encryption, especially given the backdrop of increasingly complex data privacy regulations. One of the challenges is that while cloud backbones provide the basic container and pipe data security, gaps in data lifecycle protection can result in exploits, accidents or unauthorized access, especially as data is moved from operational platforms to data engineering analytics systems.
In this breach, it’s been reported that both video as well as personal financial data was compromised. So whether its digital data, or personal data, every company processing, using and storing personal or personal identity-related data has to think about a modern data-centric approach to secure it comprehensively well beyond the reach of traditional controls which were evaded in this compromise.”
Rolf Lindemann, VP of Product at Nok Nok Labs and Co-Chair of the UAF Technical Working Group for the FIDO Alliance:
"The Verkada hack is far from surprising because the use of username/password-based authentication has been on the fast track to obsoletion for quite some time. These methods are not secure, scalable nor convenient – neither for accessing corporate resources nor for accessing IoT devices. Yet, despite constant exploitation, they continue to prevail. The time for change was yesterday, and Verkada only magnified the severity of the situation. While many are focusing on the access that was gained to networks, most importantly, we must acknowledge that this subsequently allowed access to frightening personal information and situations given that surveillance cameras were involved. It is not a new observation that Secure Perimeters are dead. But the rate at which they need to be improved is. To make Zero Trust a reality for employees, customers and IoT devices, convenient and strong authentication is key."
###