Axis Postmortem And Answers on Cyberattack
After a cyberattack resulted in many Axis services being offline for a week, Axis has published a postmortem plus answered 7 questions from IPVM about the attack.
In this note, we examine Axis postmortem, their responses to IPVM, and contrast it to the 2021 Verkada hack.
UPDATE: ******** ********
**** *** ******** *********** ********, ******* ****(****-**-** **:**). **** **** **** **** staff ******* *********** *** *******. **** report **** "*** ******** ************* ***** no *********** **** *** ********-, *******-, supplier-, ******* **** ** ****** **** was ********." **** ******** *** ******** in ********** **** ****.
**** ****** **** ******** ******** *** forensic ******* ** ******** *** ****** before *** *** **** *** ********. Therefore, ********-******* ******** **** ****. ***** services ******** **** *** **** ** that ******** ******** ***** ** **** for ******* ***** **** ****** ********* analysis.
**** *** *** ******** *** ******* of *** ******, ** **** **** down ******* ****** ** ***** ** determined. **** ******, "*** ************* ******** no ********** ******** ***** *** ****** to ***** ******** ************ ***** ** efficiently **** ******* *** ********* ****** completion, ***-******."
**** *** **** ** ****** *** threat ***** ******** ****: "******** *******, providing ********* **** ****** ******* ************, has **** ******* **********, ******** *** eradicated. ** ****** ** ********** ** other ******* ******* ******* *** **** found."
** *** *********** ******* ********* **** will **** *******.
**********
************* ** ****** ** **** ****** page*** ******** ********* **** ** **.
Social ***********
****** *********** *** **** ****** **** emphasized **** *** "******* ********** ********** such ** *********** **************" ***** *******.
********
"**** ****** ********* ******* ******* ******** "
** **** ******* ****** *** ***** of *** ****** *** ** ***** start *** ************* ****** * ****** of ***** ** ***** *******
No ****** *****
**** **** **** *** ****** ** the ******* ** ******* ** ****:
*** ******** ******* *** *** ****** is *******. ** **** **** ** stop *** ****** ** *** ***** stages ****** *** ***** ****** *** known. ** ********* ******* **** **** found ** ***.
*** ********* ****** **** ***** ******* to * ****** ******** ** **********.
Not ********** / ** *******
**** *** **** **** **** ** knowledge **** **** ** ********** *** that "** *****’* *** *** ******* with *** *********."
Country / ****** ** ********* ***********
** ***** **** **** **** ***** the *********, *.*., **** ******* **** were **** *** **** ******** ** share *** ***********, "*** ******** *******, we **** *** ******** ******* ********* the ****** ** *** ******."
Risks **** ****** ** *** ***
*** **** ******** ** ******* *** same **** ****** ******* *******, ***** has ****** **** ** ********* **** Russia *** ****** ****. *******, ** do *** **** ** **** *** simply ************.
**** ** **** ** **** ** attacks **** *** *** ***** **** video ************ ** ** ****** **** in ******** ************** ** *** ** and ***.
No ******** ** ******* ****
***** **** **** ** *** ********** that ** ******** **** *** ********, they ***** **** ** "******* ******* data" ** ******** ** * ******** from **** ***** **** ****** **** being ********:
** *** ** *** ************* *** shown ** ***, ** ****** *** attack ***** *** ******* ** **** it ****** *** ***** ****** *** done. ** ****no *********** that customer ** ******* ******* **** *** **** ******** in any way.
Shut ****, *** ***** ****
**** ********** **** **** **** **** their ******* *** **** *** ***** down, ****** ** **** *** *** shut **** ***** ******* **** ***** have ****** ***** ***** **** ** other ********* ********.
**** **** **** **** **** **** down ******* **** **** ***** ****** to *** **** **** ********:
** ***** ** **** ** ******* attack *******, *** ******** ** **** down ******** ******* ****** **** ******** systems **** **** ***** ****** ** be *********** **** *** **********. ** the ******, ** *** ******* ** securely ** ***** *** ******* *** production *****. ******** ***** ********* ***** time **** ** **** ******* ****** technically **********. ********* ** * ****** way ******* *** ******* ********.
Push ************* ******
*** ******* ** ****'* ******** ** take **** ***** ******* *** * lack ** ************ ** *********, ********* in *********** ********* ****** *** ***** 2 **** ***** **** *** *********. We ***** **** "**** *********** ** customers ** **** ** ********* ** some **** ** **** ************* *** outages" *** **** *********:
***. ** ***** ************ *** ******* our ******** *** *** ********* ******** in ***** *** **** ** **** educated ********* ***** ***** ***********.
Verkada **********
**** ** *** ******* ****** ************'* **** * **** ***. **** ******** **** ***** **** Verkada:
- ******* *** * ***** ***** ******** that *** ******* ********.
- ******* *** *** **** *********** ************** enabled *** ****.
- *** ** *******'* ******* **** ******* as *** ******** ***** ******** ******* to ********'* *******.
******* **** * ****** ** ********* errors **** ****** ****.
** ********, ***** ** ** ********** Axis **** **** ********, **** ******** are ***** **** ****:
- *** ******* ****** *** ***** ** to ***** * ***** ***** ********** and ******** ********* *** **** **** and *** ******* ****. *** **** hackers *** ******* *** ******** **** Axis ** ******* ***** ***** ********, it ****** ** * **** ******* attacker *** *** **** ** ** being *****-*********. ********, *** **** *** attacker **** ** ******* ***** ** less ****** **** **** ******** ******** to **** ***** *** **** ****** they ****** ********* ******** **** ****.
- *** **** ****** **** ** *** roughly * ****. ***** **** * small ********** ** **** ********* *** Axis ***** ********, **** ***** ** likely ** ** * *********** ****** of ********* ***** **** ****.
- **** ** * **** ******** **** critical ************** ***** ************ ********, ** any ****** ***** ** ************* **** of * **** **** *** ******* companies **** *** **** ******** **** in *** **********.
Shutting **** ******
*** ******* ******* ** *** **** disconnected *** ******* ****** ** ** increased ************** *** ****** ********* ******** problems.
*******, ****** **********"**** *** ******** ********* ******* ***********":
Stop ********** **** ****. Take all affected equipment offline immediately — but don’t turn any machines off until the forensic experts arrive.
** ** ************ ******** **** ******* ********** ******* (****** ***** **** says ** ********** **** **** ***). They ********* "****** *** ******* *********** offline" "** *** ****** *****" ****** "it *** *** ** ******** ** disconnect ********** ******* ****** ** ********":
* **** ******** ***** *** *** version ** ***** *******, *** **** is ** ******* ***** ** *** them ** ****** **** ** *** old ***...***
* **** * ***** ** **** but **'* ******** **** *** ***** used ** *** ****** ************ **** axis.com ** ***.****.*** *** ** **** mitigate **, **** ******** ******* *** DNS ********** ** *** ****** ****.
*** ******** *** ***** ** ********** all ******** ************ *********** ** * way ** ******* *** ********* ***.
**** *** * **** ******* *******, but **** **** *********. ** **** had *** **** ****, ****** ***** have ****** **** ***, ** ********* could **** ***** ******** ****** *** moving ****** ***** ********** (******** **** were).
*** ** **** ********* *** "***". Typically, *** ******* ******** *******. ** the ****, **** **** ** *** bad, *** *** **** *** *** it *** ***, ** **** *** to ******************* *********** ********. ** ******* ************** pointed ***, ******** **** ******** *** not *** *******. *** *** ********* did ****** ********* ********, ***** *** incredible ***** ****** *** *******. *** the ******** **** *** ****** ** less *******, ****** ***** **** **** downhill.
******** **** *** ******** ** ***** and ******* *** ******** ********** ***** immediately **** *** ********* ** ******* and ********* ****** **** ** ****** operational ******.
***** *** ******* ****** *****"****** **** *****". **** *** ******, ******** ******* the ********, ********* *** ********* ******, and ******* **** ******. *** ** reinforce *** ********** ** ****** *******.
****, ******* ** ***** ********* *** identifying **** ********. ** *** ***'* log, *** *** *** **** ** able ** *** **** *** ******** compromised, *** ***** ****** ** ********** who **** **** *** **** **** were ****** ** **.
***** ******* ************ ** ****** ***********, attackers **** **** ** **** ** as * **** ******* ********** ********** such ** *********** **************.
****** **** ****** ** *** ******* link ** ********. ******. *** *** buy * ****** ********, * ******* IDS/IPS, *********/******** **********, ******* ****** ********* and ***, *** *** ***'* *** around ****** ***** ********* **** **** to ****** *** ******. *** ** you **** ******, *** *** ***** to **** ** **** **** ****** engineering.
---
* ***** **** ***** ** *** them ****** ********** ** * ****** site ****** * *** ** **, to ******** *********. **'* ******** **** the ************** ** *** ****** ***** that *** ****** ***** *** ******** been ******* ****. *** ****** **** could **** ****** **** **. ** you *********** **** ****** **** ****** or *****, **'* ******** **** ***** Sunday ******* *** *** ***** ** the **** **** ** ********* **** backup ***** **** **********. ********* **** will *** **** ** ** *********** to ******** ***** ******** ********** ***** so **** **** *** ****** **** if **** *** ** ****** **** this ** *** ******.
******* ** *** *** ******* ****, SMS ** **** ******** *** ** is *****. **** ****** *** * bad **** ***, *** **** ** use ***** **** ******, *** ******** supports ***** *** **** **** **** out *** ***** ***.
** ******** *** ** ******** *** token, ** ******** ** **** ******** or ***** *** *** **** ** physically ***** *** ****** ** ******** so ** ****** ** ******** *********.
**** ********* ** *** *** *** Microsoft ************* *** ***. *** **** about *** **** ** *** *****.
**** **** ***** ****, *********, *** and ***** ***** *** ***** ** used ** ******** *** **** ** these ********. *** ** *** *** just ******* ******* ****** *** ** not *********. ** ******* ***** *** how *** ** *********** *** ******* or *** *** ** ****** ** exclusive ** *** **** *** ***** or ***** ********.
***** *** ***** ****** *** *** best *** ** ****** ******** *** the ******** **** ** ***** ****** it ** **'* ********* (******** *** token, ***. *** *** **** ***) and *** *** ** ****** **** and *** **** ***** ** **** point ** *** **** ***** ******* you **** **** ******, *** **** do **** ******** ***** ** ******* too.
**** ** **** *** **** ** these ************* ****. ******* ***** ***** tokens *** *** ** ************* *** which ******** *** *** * ****** to *** (*** ** ***-* ** Apple *********).
***** ** ******* **** ***** ***** this ***** * ***:
********* *************: * ***** ***** ** Security? - ******** ******** ****
** ***** **** **** **'* *** site *** ********, *** ***** *** the **************.
* **** **** ****** ** ****** an *** ********* **** ** ********* 4. ********** ******** ** ** **** up *** ******* ** * **** out ** *** **** *****. **** to **** *** *** *** ********* have ******** **** **** ** ******** to *** ** *** *** ****. I **** ***** ** ******* *** firmware *** ********** *** ** *** functions ***** **** ** ******** ******** and ****** ** ********** **** *** site. ** ****** *** ****** ** the *.**.*.* ******** **** **** *** send ** ***** ** ******* ***********. Customers **** ** **** ***** * can *** **** ****.
** **** ** **** ** *******, but *** ******** ****** ** ***********:
****** ******** ******** ******* ********** ***** suspected ***** ******
********** ****** ** ***** *** ********* to ** **** ****.
** ** ** *********** **** ** coincided **** *** ******* ********. ******* soldiers **** **** ****** ** ***** shooting *** ******** ******* *** **** was ****** **** ******* ****** ** help ****.
**********, ****** *** *** ***** **** for ****** ***** ***.
**** *** **** ***** **** ****:
** *** ***** ******* ********, ******** 19 *** ******, ******** **, **** was *** ******* ** * ***** attack. ** ***** **** ** ***** more *********** ***** **** ******** **** you.
What *** ********?
**** ****** ********* ******* ********** ********** behavior ** *** ******** *** ********** to ********** *** ******* *** ********. Details *** ** ***** ** * post-incident ****** ********.****.***.
How *** **** *******?
** ***** ** **** *** ****** quickly, **** ************ ****** *** ******* to ******* *** ********, ********* *** their ****. ** **** **** ******** services *** **** *****, **** ** in- *** ******** *****. ******* ******** were **** ******** ********.****** ********* ***** ***********.
How *** ** ****** **** *** *** *********?
***** ******** ****** *** *********** *********, Axis ***** ********* ******** ** * pace ******** ** ******** ******** ***** our ******* ********. *** ***** ********-****** services **** **** ********* ****** *******. Gradually ** *** **** *****, **** external ******** **** *******, *** *** majority *** *** ********* *****.
** *****, ** **** ******* ***** of ******** ************, *** ** *** able ** *******:
• ** ******** **** ** *********** was ***********.
• ** ************* *******, ********/******** ** development, ** ********/******** ********* *** ******** were ********. *** *** *** ******** development ********.
• ********* *** **** ******** ** installed **** ********* **** ** **** Camera ******* **** *** *********** ** the ******, ****** ******** **** **** Secure ****** ****** **** ****** *** as * **********.
• *** ****** ********** *** ****** chain ******** ******* ********** ******* *** entire ******.
What ** *** ****** ** **** ****** ******* ******* ******?
*** ******* ****** ** **** ****** for *********** ******** ******* **** ** normal. **** ****** ******* ************** *** activate ******** *** *** ****** *** through **** *-****** *******. *** ********* awaiting ****** ** ******* ****, ** are ********* ** *** **** ****** back ****** ** ** **** ** accept *** ****** *** ********.
Why **** ******** **** **** *** ***** **** ****? **** ** *** ****** ***?
*** *** ******** ** *** *********, our **** ****** ** ****** *** to ** **** ****** **** ***** ensuring ****** *** *********** *********. **** currently ******** ** * ********** ****. This **** ******** ** **** ** the ******** ************* ** ******* *** until *** ******** *** *********** ** completed.
** ** ******** **, **** ******** facing ******** **** **** ******** **** some ***** ******** ******** *********. ** expect *** ***** ***** ** *** customer ****** ******** ** ** ********** available ****** * *** ****.
What **** ****** ***** *******?
**** *** ******* **** **** ******** and *** ************* *** *********, **** incident **** ** ******** *********** ** determine *********** **** *****. ** ***** like ** ****** *** **** **** incident **** ********** *** ******** ********** to *** ********** ** ************* *** to **** **********. ** **** ******* future ********** ** **** ******** ** heighten *** ********** ** ********, ******** and *********.
***** *** *** **** ******* *** cooperation. ** *** **** *** *********, please ** *** ******** ** ******* your ******** **** **************.
**** *******,
**** **************
********** *** *** ********* ******** ******* are * *** ****.
*** ** **** *******. **'* **** so **********.........
*** *** ***** ****. ***'* ** the ****.
**** *** ******* ***** * *** slower **** ****** ***. * *** taken **** *** * ****** **** someone ******** ** ***** ********* ***** working, *** * **** **** ** people ** ******** *** ******.****.*** ** well.
* ****** **** ***** ***** ***** services ** ** *****'* ********* ******* firewall ******* ** ******** *** ****** hosting ** **** **** ** ******** to ** ******** ***********.
**** ****** *** **** ******* **** the ********* ******* ***** ** *** forensic ******** **** **** ******:
UPDATE: ******** ********
**** *** ******** * *********** ******** ******, ******* ****(****-**-** **:**). **** **** **** **** staff ******* *********** *** *******. **** report **** "*** ******** ************* ***** no *********** **** *** ********-, *******-, supplier-, ******* **** ** ****** **** was ********." **** ******** *** ******** in ********** **** ****.
**** ****** **** ******** ******** *** forensic ******* ** ******** *** ****** before *** *** **** *** ********. Therefore, ********-******* ******** **** ****. ***** services ******** **** *** **** ** that ******** ******** ***** ** **** for ******* ***** **** ****** ********* analysis.
**** *** *** ******** *** ******* of *** ******, ** **** **** down ******* ****** ** ***** ** determined. **** ****** "*** ************* ******** no ********** ******** ***** *** ****** to ***** ******** ************ ***** ** efficiently **** ******* *** ********* ****** completion, ***-******."
**** *** **** ** ****** *** threat ***** ******** ****: "******** *******, providing ********* **** ****** ******* ************, has **** ******* **********, ******** *** eradicated. ** ****** ** ********** ** other ******* ******* ******* *** **** found."
** *** *********** ******* ********* **** will **** *******.
* ******** **** *** ******* ** double ***** *** *** ********* ** some ***** ****** ** *** ****** manager *** **** ******** ******** ****** the ******* ****** ******** ** *********** Axis's ********* ******* *** ***********. * only *** * *** ** **** checking, *** **** *** *******.
* **** ********* **** ** ******* they ***** ***** *** ********** ** their ********, *** **** ****** ** least ********* ** *** ****.
** ***** ******** ** *****, ***** response ***** ********** ** **.
****.*** ***** ***** ** **** **** issues.
**** **** ** *** ******* *** some ***** *** ******.
*** ********* ** ****.*** **** ***.****.***