[BreachExchange] 'Several combinations of social engineering' used during cyberattack on camera maker Axis

Thu Mar 3 10:11:06 EST 2022

https://www.zdnet.com/article/camera-maker-axis-releases-details-of-cyberattack-that-caused-outages/

Camera maker Axis released more details about a cyberattack that started on
the night of Saturday, February 19.

In its initial messages on its website, the Swedish camera giant said it
got alerts from its cybersecurity and intrusion detection system on Sunday,
February 20, before it shut down all public-facing services globally in the
hopes of limiting the impact of the attack.

But in a lengthy report about the attack, Axis says someone used "several
combinations of social engineering" to sign in as a user on Saturday night
"despite protective mechanisms such as multifactor authentication."

According to the report, there was no ransomware, but investigators did
find malware and discovered that the company's internal directory services
were compromised. Axis claimed no customer information was involved.

"Inside, the attackers used advanced methods to elevate their access and
eventually gain access to directory services. Axis threat detection systems
alerted incident staff of unusual, suspicious behavior, and investigations
began early Sunday morning. At approximately 9 am CET Sunday morning, IT
management decided to bring in external security experts, and at
approximately 12:00pm (noon), it was confirmed that hackers were active
inside Axis networks. The decision was taken to disconnect all external
connectivity immediately as a way of cutting the intruders off," Axis
explained.

"At 6pm, all network access had been shut off globally. The measure had the
intended effect of shutting the intruders off from their access. It also
resulted in a loss of external services for Axis staff, such as in- and
outbound email. Partner services were also affected, with axis.com and
extranets being unavailable. Investigations rapidly showed that parts of
the server infrastructure had been compromised while other parts remained
intact."

The company noted that their global production and supply chain remained
"largely unaffected" during the attack. Their first customer-facing service
returned on Sunday evening.

Most external services were restored by February 27, while others are still
waiting on security clearances. Axis said it is still operating in "a
restricted mode" with internet-facing services.

As of Wednesday, March 2, device upgrades for AXIS OS/Apps is still facing
a major outage, and the company's licensing system is dealing with a
partial outage.

"This will continue as long as the forensic investigation is ongoing and
until the cleaning and restoration are completed. This mainly affects our
internal work streams and has a very limited effect on customers and
partners. We expect the final parts of our customer-facing services to be
completely available within a few days," Axis said.

"Needless to say, we are humble in the face of and due to the gravity of
the situation. We are also grateful that we were able to catch and stop an
ongoing attack before it had much more lasting effects."

The company initially announced the outages on Twitter but did not respond
to requests for comment. On its status site Friday afternoon, Axis said its
Case Insight tool in the US and the Camera Station License System were
dealing with partial outages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220303/1c62ebdc/attachment.html>