[German]Swedish vendor of (IP security cameras) Axis has become a victim of a cyber attack, as Axis Communications has finally confirmed. I had addressed a few days ago in the blog that their websites and services were down since February 21, 2022 and suspected a cyber attack. Here is a summary of what is now known. Addendum from 02/27/2022 with information from Axis Communications on what they have found out.
Advertising
Axis Communications AB is a Swedish manufacturer of network cameras, access control and network audio devices for physical security and video surveillance. The manufacturer considers itself a technology leader in network cameras and other IP network solutions.
Axis.com down since days
I received on Monday 2/21/2022 a private message from a reader via Facebook, who pointed out that the axis.com web pages had been down for hours. When trying to access the pages in the browser, error messages come up that the website is down (see post axis.com (IP security camera vendor) is down (Feb. 21, 2022)). Some websites like *www.axis.com/de-de#, brings a connection-timeout error or error 503, as shown in the screenshot below.
The axis.com status page reported a complete service outage. This means that customers cannot access their IP cameras via the Internet. This affects security cameras at airports, banks, supermarkets, etc. After my reporting and inquiring with the manufacturer, there was then a brief notice of an "IT-related intrusion" on the status page and on Twitter (see following text).
Services are slowly coming back
It is now February 24, 2022, and if you go to the axis.com status page, many of the vendor's services are already listed as "Operational." This includes pages and services for body cameras (as used by the police).
Advertising
Only the main page is still listed as "Partial outage" – the press pages etc. are still not accessible. The upgrade service for AXIS OS (the firmware) as well as the apps is still down – from which I conclude that the vendor cannot rule out a supply chain attack. The licensing system as well as remote access to AXIS camera stations is also still partially down. IT specialists still seem to be investigating what impact the admitted cyberattack had.
Was there a vulnerability?
A blog reader pointed me to the following tweet. A user with the Twitter alias @5cript1diot points out on Feb. 22, 2022, in response to the Axis message that services were disrupted, that he had alerted the provider to a vulnerability but had not yet received a response.
The answer "we are working on this issue" – but currently the project to bring the IT systems back online takes precedence. No reaction to the issue of security vulnerability – and apparently they don't think it's necessary to send a short feedback to the person concerned "we received your tip and are investigating this". Only upon public inquiry comes the above reply tweet.
No communication to the public
Axis Communication claims to be a player in the cybersecurity field (Explore your cybersecurity resources: Axis's solutions offer a variety of built-in cybersecurity features to counter different types of cyber-attacks, effectively battle vulnerabilities, and prevent unauthorized access to your system). However, the communication on a possible cyber-attack is so far poor from the manufacturer's side. I had traced it in the post axis.com (IP security camera vendor) is down (Feb. 21, 2022).
I had asked on Twitter (see above tweet), but also via the German website of the provider, but received no answers until today, February 23, 2022. Falls into the same picture as the tweets from the previous section.
Cyber attack confirmed
In a private message on Facebook, a blog reader informed me that he had been admitted by their phone support in Germany that the disruption was due to a cyberattack. Customer data had reportedly not been leaked, but everything was still being investigated. It is hoped that the systems will all be back up and running by the end of the week, but it could take longer.
I then reached out yesterday for an official statement from axis via their support form on February 23, 2022, but so far have not received a response. Now there seems to be an official statement, which Carsten Korn posted the German edition in this comment (English version below). The statement says, hat Axis Communications has suffered a cyber attack. Their security and intrusion detection (EDR) systems struck on Sunday (the 20.02.2022) and reported a possible attack.
After initial analysis, traces of illegal activity were detected on the manufacturer's network. As a result, the latter disabled the publicly available Internet services to minimize the potential damage. The vendor also wanted to gain time for troubleshooting and protecting systems and data. This was a deliberate decision to limit the potential impact of the attack, it says. For now, the business impact is limited to all Axis services communicating externally, it said.
Also coincides with a spokesperson's statements quoted here. Below is the following statement in English and it says that they are working to restore all affected services and it looks good. So it looks like no data was compromised.
On Feb. 20, our detection systems alerted us of a possible IT-related attack. Investigations began immediately and traces of illegal activity were found. As a preventative measure, we disabled public-facing Internet services in order to limit potential damage from the attack. We've been working urgently to restore affected services and preserve the safety of our systems and data. Some systems have been restored and we expect continued improvement over the next few days. We are keeping our partners and customers aware of pertinent updates as available. Status updates can be found at status.axis.com
We have no information about this being a ransomware attack. And the attack appears to have been stopped early on. So far there are no signs that customer information has been affected but we continue to investigate.
Details about the Cyber attack
Addendum: As of February 27, 2022, Axis Communications has now published information in the status area about what has been. It states that Axis was the victim of a cyberattack during the night of Saturday, February 19, to Sunday, February 20. Through various combinations of social engineering, the attacker(s) managed to log in as a user despite protection mechanisms such as multifactor authentication.
Then, the attacker(s) used advanced methods to expand their access and eventually gain access to directory services (Active Directory). Axis' threat detection systems alerted employees to the unusual, suspicious behavior, and investigations began early Sunday morning.
At around 9 a.m. CET on Sunday morning, IT management decided to call in external security experts, and at around 12:00 p.m. it was confirmed that the hackers were active on the Axis networks. It was decided to immediately cut off all external connections to eliminate the attackers. Sunday, February 20, 2022, all network access was shut down globally as of 18:00 CET. The measure had the intended effect of denying access to the intruders.
Investigations quickly revealed that parts of the server infrastructure had been attacked, while other parts remained intact. Forensic work and projects to clean and restore affected components began immediately with the goal of quickly and gradually returning to normal operating status. Global production and the supply chain remained largely unaffected throughout the period.
The analysis showed that no encrypted servers were found. However, malware and evidence that internal directory services were compromised were found. According to Axis, no customer information is said to have been affected in any way. Overall, according to the vendor, there is limited evidence of any harmful consequences – other than the restriction of services and loss of productivity. Below is still the full text of the Axis release in the status section (I've pulled it out in case the post is later deleted).
PDATE 2022-02-27 19:00 CET
[Cyber attack] Post Mortem
On the night between Saturday February 19 and Sunday February 20, Axis was the subject of a cyberattack. Using several combinations of social engineering, attackers were able to sign in as a user despite protective mechanisms such as multifactor authentication.Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services.
Axis threat detection systems alerted incident staff of unusual, suspicious behavior, and investigations began early Sunday morning. At approximately 9 am CET Sunday morning, IT management decided to bring in external security experts and at approximately 12:00 (noon), it was confirmed that hackers were active inside Axis networks. The decision was taken to disconnect all external connectivity immediately as a way of cutting the intruders off.
At 6 pm all network access had been shut off globally. The measure had the intended effect of shutting the intruders off from their access.
It also resulted in a loss of external services for Axis staff, such as in- and outbound email. Partner services were also affected with axis.com and extranets being unavailable.
Investigations rapidly showed that parts of the server infrastructure had been compromised while other parts remained intact.
Forensic work and projects to clean and restore the affected components began immediately with the intention of rapidly and gradually coming back to normal operational status.
Global production and supply chain remained largely unaffected through the entire period.
Our first customer facing services were made available Sunday evening, February 20.
Gradually in the days that followed, more and more external services were cleared and made available online again, including commercial services, main parts of axis.com and email services.
Status Sunday February 27 is that most external facing services have been restored with some still awaiting security clearance. Regarding internet facing services, Axis currently operates in a restricted mode. This will continue as long as the forensic investigation is ongoing and until the cleaning and restoration is completed. This mainly affects our internal work streams and has very limited effect on customers and partners. We expect the final parts of our customer facing services to be completely available within a few days.
Findings so far
No servers have been found to be encrypted but we found malware and indications that internal directory services were compromised. No customer information has been found to be affected in any way. In total, we find limited signs of damaging consequences aside of the general embarrassment and productivity loss as we clear services for production step by step.The attackers used multiple methods of social engineering to gain access despite our security mechanisms. Improvements already undertaken are changes that reduce the risk of human error. The technical security mechanisms have been raised in general across the board to limit the risk of any similar future event. The effect is increased security at the cost of slightly less smooth workflows.
It is a regrettable fact that no company is entirely safe from the risk of cyber intrusions. Our strategy remains the same. We aim to provide real security through several different types of protection:
- We prevent threats and attacks with automated and systematic monitoring
- Intrusions are made difficult while keeping operational efficiency high
- Potential intrusions must be detected early to stop further damage
- And in case of severe problems, we provide rapid and reliable restoration of services.
Needless to say, we are humble in the face of and due to the gravity of the situation. We are also grateful that we were able to catch and stop an ongoing attack before it had much more lasting effects.
We will come back with more information if our ongoing investigation uncovers events of further relevance.
