This misconfiguration has the risk of causing serious harm to devices’ owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices.
What is iSCSI
iSCSI stands for Internet Small Computer Systems Interface, and is a protocol for linking workstations and servers to data storage devices, such as disk storage arrays (found in data centers and large enterprises) and network-attached storage (NAS) devices (found in people’s homes and small-to-medium businesses –SMBs).
The protocol’s main purpose is to allow an operating system to view and interact with a remote storage device, as if it was a local component, instead of an IP-based accessible system.
iSCSI is a core component of the modern computing industry, as it allows virtual machines (VMs) to boot from remote hard drives as they’d be local devices; allows companies to centralize storage systems without breaking apps that can’t handle IP-based network storage paths; and is a crucial part of many data replication solutions.
The misconfiguration boo-boo
Naturally, because of the sensitive data these systems often contain, the iSCSI protocol supports various authentication measures, which device owners can set up to prevent unauthorized parties from connecting to their storage cluster and access storage drives, interact with the data, or create new storage drives.
But just like in the case of many internet-connected devices, such as routers, databases, web servers, and others, there is that small portion of device owners who failed to follow a minimum of security measures, and have left their storage arrays exposed online without authentication
This means that anyone knowing basic details about some of these systems can follow simple YouTube video tutorials and connect to these storage clusters, may them be large-scale disk arrays inside a company’s data center, or tiny NAS devices left in an office corner.
Thousands of iSCSI cluster available via Shodan
Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices.
In an online conversation with ZDNet, the researcher described this iSCSI exposure as a “dangerous backdoor” that can allow cyber-criminals to plant ransomware-infected files on companies’ networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.
In a cursory investigation of a small sample of exposed iSCSI clusters, ZDNet found passwordless iSCSI-accessible storage systems belonging to a YMCA branch, a Russian government agency, and multiple universities and research institutes from all over the globe.
Many of the IP addresses ZDNet found to expose an iSCSI cluster were also hosting password-protected web panels for NAS devices such as Synology, suggesting these devices had been properly secured with a password for the web panel, but not the iSCSI port.
In addition to our separate investigation, A Shadow, who has spent a few days analyzing the results, said that many of these iSCSI clusters also belong to private companies, which can be ideal targets for cyber-criminal groups, and especially ransomware gangs targeting big ransom payouts.
Such systems may be a little harder to spot in Shodan search results during short lookups, but a cyber-criminal gang looking to maximize its profits will be, without a doubt, willing to thoroughly research each exposed iSCSI cluster for its next big hit.