Over 13K iSCSI Storage Clusters Left Exposed Online Without a Password

Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

and we at Piped Piper are thankful

[negrace]

Thanks guys!

Re:and we at Piped Piper are thankful

why isn't the show coming back til 2020? two years off is a long time

"internet-accessible hard drives"

[IWantMoreSpamPlease]

What's wrong with this picture?
Oh yeah, the same thing wrong with "the cloud"

I still can't believe "the cloud" ever took off with the IT world...

Re:"internet-accessible hard drives"

Oh yeah, the same thing wrong with "the cloud"

iSCSI dates back to 1998. "The Cloud" dates back to 2006. iSCSI is intended to be used over a LAN, not the internet. This is a "misconfiguration" as said in the second word of the summary, not someone intentionally sharing data to the cloud or whatever you think it is.

Re: "internet-accessible hard drives"

Just remember, INFOSEC is all about AVAILABILITY. So if you dont set a password, you will never lock yourself out. You can thank me later.

Re:"internet-accessible hard drives"

The cloud is commercial time sharing and that dates back to the 1960s.

Re:"internet-accessible hard drives"

[luis_a_espinal]

What's wrong with this picture? Oh yeah, the same thing wrong with "the cloud"

I still can't believe "the cloud" ever took off with the IT world...

The cloud took over IT because it made sense.

The problem we are seeing here (not security your shit), that's been an old problem since offices started giving workers PCs connected to a LAN or whatever. Hell, I'll say this is just another manifestation of the same old problem of someone lending badges and id cards to a co-worker (or someone else) in the good old days of timesharing and mainframes.

What we are seeing here is not a problem of "the cloud" or "IoT". It's product designers shipping products that do not require an authentication setup. There can be no product accessible with a default password over the wire.

Then there is the issue of IT monkeys setting up IoT devices unprotected. I can understand someone leaving a smart thermostat unprotected. A iSCSI? On a cluster? C'mon, what's the excuse?

April Fools' . . . right?

Why would an iSCSI network be publicly routable? This is nonsense.

Re: April Fools' . . . right?

scuzzy was the pioneer of speedy drives. I wonder how many are in use today? Tell me that story, not the latest breach hype.

Re: April Fools' . . . right?

You have zero understanding of drives.

Re: April Fools' . . . right?

Scuzzy was one of Apple's hype bullet points for many years. Before Altivec and 'unix' and RISC and various other buzzwords the Apple marketers slung around without really understanding.

Internet accessible?

[grasshoppa]

I never understood this. Under normal circumstances it's quite difficult to make something internet accessible. Most firewalls, both corporate and consumer, by default use NAT with no forwarding, so under those conditions you'd have to go out of your way to make this happen ( ironic, given that if you have the knowledge necessary to do so, you know what not to do as well ).

The only thing I can think of is that this is an org with a huge block of public IPs that are managed poorly, but I would expect this to be an edge case and not a part of all these risk vectors ( cameras, printers, workstations and now, apparently, disk systems ).

Re:Internet accessible?

[DarkOx]

i'll bet a lot of it is ipv6

Re:Internet accessible?

[MightyMartian]

Exposing an iSCSI node to the great big wide world seems to go beyond normal incompetence and borders on utter ineptitude. Not that any device with an IP shouldn't be locked down, even inside a LAN (that's a bad enough failure of security), but wow, the idiocy of actually throwing any iSCSI device on a routable IP just seems so jaw droppingly stupid.

Re:Internet accessible?

i have suddenly found more storage for my p0rn collection.

Re:Internet accessible?

[petermgreen]

Not just one org, there are piles of orgs, especially in academia that have been on the net since before the eternal september and the IPv4 crunch and still run their networks in much the way they always have. Mostly open to the Internet with maybe some limited firewalling on ports particularly likely to be abused.

Also when ever you rent a server or VM or colocation slot from a hosting provider it comes with a public IP open to the Internet by default. I could easilly see someone fed up with overpriced cloud storage shoving an iScsi storage array into a colo rack and just hooking it up to the hosting provider's network (wide open to the Internet) without thinking things through properly.

Re:Internet accessible?

OUR pr0n collection, Comrade!

Typical damn greedy Capitalist, only thinking of himself!

Re:Internet accessible?

[ilsaloving]

Same here. The only way this can happen is by sheer ineptitude.

This is the double-edged sword of empowering people by making things simpler and more accessible. While it streamlines things for pros, it also allows dunning-krugers to think that they can punch above their weight, with the end results being what we see today.

I've run into these kinds of people now and then, and... just wow. It's not even the incompetence that bugs me. It's the surety that they know what they're doing, and the completely obliviousness of their own lack of skill. One of these people cost me my vacation last year because they managed to cause a massive security incident which I then had to mitigate before things got even worse.

It's why I despise things like Javascript and Visual Basic. Stop enabling people to code when they don't have the skills for it. Just because you can vomit some text into a browser that somehow manages to work despite your best efforts, doesn't make you the next rock star programmer that will change the world.

Re:Internet accessible?

Exposing an iSCSI node to the great big wide world seems to go beyond normal incompetence and borders on utter ineptitude. Not that any device with an IP shouldn't be locked down, even inside a LAN (that's a bad enough failure of security), but wow, the idiocy of actually throwing any iSCSI device on a routable IP just seems so jaw droppingly stupid.

How do we know this isn't a bunch of IoT devices that just happen to have iscsid running?

It's bad for leaving an unconfigured, unneeded daemon running, but not the same level of stupid as a bunch of actual iscsi target servers hanging out on the Internet.

But I'm a FC storage admin, I think iscsi is dumb anyway, this is all degrees of dumb from my point of view.

Re:Internet accessible?

[Antique+Geekmeister]

There are a number of IPv6 enthusiasts who insist that NAT is evil and unnecessary and insist that all IP addresses should be public, that all should be left to an intelligently confifured and sophisticated firewall to protect the internal IP addresses even if they are routable. In the last 10 years, I haven't met any of these enthusiasts who competently run their firewalls, or who sensibly use the non-routable IPv6 address spaces for their devices.

Re:Internet accessible?

i'll bet a lot of it is ipv6

While I never bought into the theory that "NAT = security" (it's the stateful inspection that's important), at least having private RFC 1918 addresses helped protect organizations against some of the boneheaded mistakes. (Though I'm sure there's a lot of admins who setup port forwarding as well.)

Re:Internet accessible?

You have no idea how IPv6 works. There is always a LLA address(non-routable or Link Local) autoconfiged by the stack. The "global" address is optional.

Re:Internet accessible?

[Dagger2]

I'll bet it's not.

It's trivially easy to exhaustively scan the entire v4 internet space. Trying to do the same to the v6 space isn't going to work. There are ways to pare down the search space somewhat, but ultimately Shodan is going to be listing every single exposed v4 service but not very many of the v6 ones.

Re:Internet accessible?

I never understood this. Under normal circumstances it's quite difficult to make something internet accessible. Most firewalls, both corporate and consumer, by default use NAT with no forwarding, so under those conditions you'd have to go out of your way to make this happen ( ironic, given that if you have the knowledge necessary to do so, you know what not to do as well ).

The only thing I can think of is that this is an org with a huge block of public IPs that are managed poorly, but I would expect this to be an edge case and not a part of all these risk vectors ( cameras, printers, workstations and now, apparently, disk systems ).

Doubt you talk about actual dedicated firewalls but rather residential gateways and their SMB cousins.

Re:Internet accessible?

Exposing an iSCSI node to the great big wide world seems to go beyond normal incompetence and borders on utter ineptitude. Not that any device with an IP shouldn't be locked down, even inside a LAN (that's a bad enough failure of security), but wow, the idiocy of actually throwing any iSCSI device on a routable IP just seems so jaw droppingly stupid.

According to the article many of them shared ip-space with nas webfronts so they might not even know about iscsi other than clicking enable on it without knowing what it was

Idiots

So this is what happens when the "open to everything" people get to set up a disk enclosure.
1. Why was the array internet facing.
2. Why was there no iSCSI CHAP password.
3. Why no physical network separation.
4. Why are idiots getting hired? Didn't anyone have a security walkthrough during installation? Why is this company still in business?

Really, could anyone honestly be this stupid? I really hope this is a April 1st joke, otherwise get everything you can out of someone else's data center and back into your companies, because they are just too stupid to be trusted.

Re: Idiots

I work for a large company where, due to various semi legit factors, all addressing has moved to routable IPs instead of RFC1918 space.
Our "brilliant" network team has assured us that it's not a risk because we simply don't advertise those blocks. Except every month or two when someone accidentally leaks the routes.
And then discovers that the ACL on the data center edge is implemented poorly (i.e. basically not at all.)
Fortunately we're not insane enough to use iSCSI so attack surfaces have been limited to the management plane of the NAS, but that's enough to give me heartburn.

Re: Idiots

Hello Mickey! I see you are sill using those 153.x/16 inside?

Re:Idiots

why?

These days, people need to prove they are stupid enough to be a presidential candidate!

Re:Idiots

[LostMyAccount]

Idiots get hired because there is more work (and potential revenue) than there are people employed to do it. The valuable work (interest, challenge, complexity, value) gets shoveled to the competent employees to keep them employees.

The marginal stuff isn't valuable enough to hire higher wage employees, so compromises are made to bring in "just OK" employees to do it, and to demonstrate their value they overreach and fuck things up.

At least this is how it works where I am.

Why would iSCSI have a default route?

[Aqualung812]

Seriously, I can't think of why you would let iSCSI traffic leave your storage VLAN.

Connect everything that needs iSCSI with a dedicated iSCSI NIC or vNIC, and be done with it.

I really don't want a router delaying or otherwise messing with storage packets anyhow.

Re:Why would iSCSI have a default route?

[ledow]

I can't understand why anyone is running ANYTHING connected to the public Internet that's not behind a NAT/firewall that would stop all of these kinds of exposure.

I mean, seriously - the problem is not the password. It's that's its even POSSIBLE to send and receive packets to these kinds of devices from the public Internet. It's just ridiculous.

Re:Why would iSCSI have a default route?

iTs tHe iNtErNeT oF tHiNgS! Makerspaces! Cloud! On the blockchain! WooOOoOOoOOoo.

AKA, most people involved in technology are fucking morons, so you get what we have here today. Which is the way he wants it. Well, he gets it. I don't like it any more than you men.

Re:Why would iSCSI have a default route?

Seriously, I can't think of why you would let iSCSI traffic leave your storage VLAN.

Connect everything that needs iSCSI with a dedicated iSCSI NIC or vNIC, and be done with it.

I really don't want a router delaying or otherwise messing with storage packets anyhow.

Read the article cause the answer is there

Re:Why would iSCSI have a default route?

[LostMyAccount]

You're not wrong that it's a bad idea, but I see it happen.

There's a lot of inexpensive (mostly 10 gig) switching out there that can route IP with minimal latency, or at least so little added latency it doesn't matter for a lot of ordinary storage traffic.

The other are data center expansions/contractions and some levels of same-campus, different-building high availability projects that work so long as you're able to route iSCSI traffic. I've also seen poor scaling decisions involving iSCSI subnets require additional IP space for node or storage unit expansion and no good way for devices to cross logical subnets without major reconfiguration/renumbering. Routing fixes this problem.

Places that scaled up quickly from poorly planned environments often end up implementing iSCSI VLANs but originally didn't and have storage devices they still need to talk to on existing routed networks. I've seen some dev/test environments that got built from old production parts "on the side" wind up needing to be merged in with production to finalize app upgrades or something.

Then there's just dysfunctional people/organizations. I've worked at places where either the storage guy or the network guy was just an asshole and wouldn't extend even marginal effort to help the other guy solve these problems.

Re:Why would iSCSI have a default route?

I can't understand why anyone is running ANYTHING connected to the public Internet that's not behind a NAT/firewall that would stop all of these kinds of exposure.

If you cant understand why it happens then either you do not work in the IT industry or you have a naive hope in users, management, and the bean counters. Its easy to understand, Management and the bean counters look to save money where ever they can so they end up with inferior products and personnel who either don't know what they are doing or are willing to do whatever management says to keep their job. this also happens because anything in the IT department is seen as a cost center (as in it doesn't generate any revenue) and because most people in management (mba types) are told to do what ever they can to reduce cost centers while conveniently forgetting or intentionally omitting to do a proper cost/risk analysis (its ok, that stuff doesn't concern this quarters reports). Then there is the issue of someone who has little knowledge of computers doing a risk analysis while not understanding even how to evaluate such risk.

Side note: the only way to get this to change is to vote in political representatives who will increase the penalties for security failures like this, as it stands law makers have only target consequences at the people who take advantage of these security lapses and not the companies who leave the door open. This encourages businesses to do nothing as they operate under the false assumption that the penalties for hackers will be a sufficient deterrent and thus reduce the risk, which obviously sways any cost/risk analysis to the side of spending the least amount possible.

I hope this helps explain why this happens. It will not stop until the general public has a better understanding of how computers work.

April Fools?

I mean if this is true it is even more hilarious.

Complacent enough

[Sean+Clifford]

I'm not worried if we're being complacent, rather are we being complacent *enough*? (shrugs)

(yawns) Maybe we should schedule a meeting to discuss the pros and cons of checking our storage to see if it's exposed.

(consults calendar) Hmm, looks like the bigwigs are out this week. They won't have anything useful to contribute, but get upset if they're excluded from something important enough to be in the news. Hmm, next week a couple of key people are out for training. Well, the 15th is recuperation from GoT season 8, episode 1, and tax day, so --- okay, how about Tuesday the 16th at 3PM Central so we can include our West coast folks after their lunch but catch the East coast folks before they go home?

dafuq is iScuzzi?

[Snotnose]

I thought SCSI died decades ago. I'd know, I had Scuzzy stuff back in the 80s. Loved it at the time, but time marches on...

In other words, I should not have to use Google to figure out a /. summary. It's not like I'm an accountant using Quikbooks in Twin Forks, IA. I've been programming computers for over 40 years now, and keep up with the current stuff. Except cloud stuff. I'll never keep my only copy of anything on someone else's Atari in their mom's basement.

Re:dafuq is iScuzzi?

Then how do you not know what iSCSI is? Every company I've worked for in the past decade has used it.

Re:dafuq is iScuzzi?

[ledow]

News for Nerds.

iSCSI has been around for decades. Think of it as SCSI over IP.

And SCSI underpins a lot of things still... I take it you've never heard of SAS (serial attached SCSI) either?

Pretty much anything you buy that's even remotely "server like" or "storage like" (even a cheap Netgear NAS) will offer iSCSI because so many people use it. And it's essential if you want to do things like virtualise your servers and run the storage across the network (so you can replicate your machines, access the same storage from multiple locations, etc.).

I don't suggest that this site doesn't sometimes throw stuff at me and I think "Why the hell would I care?" but it tends to be business acronyms and weird niche stuff. iSCSI is literally inside every modern Windows (search for iSCSI initiators), every modern Linux, every NAS, every decent server (some of them use iSCSI to communicate with their own in-built storage, e.g. IBM BladeCenters) and you're a second away from discovering that it's just "SCSI-over-IP".

Re:dafuq is iScuzzi?

I thought SCSI died decades ago. I'd know, I had Scuzzy stuff back in the 80s. Loved it at the time, but time marches on...

In other words, I should not have to use Google to figure out a /. summary. It's not like I'm an accountant using Quikbooks in Twin Forks, IA. I've been programming computers for over 40 years now, and keep up with the current stuff. Except cloud stuff. I'll never keep my only copy of anything on someone else's Atari in their mom's basement.

Sorry to say it but you are like the typical dev cause most of them don't know shit about ops

Re:dafuq is iScuzzi?

Did you hear of a SAN, then? It's networked storage and everyone uses it.

It's not like a NAS : a NAS serves files, just like a Windows 95 file share. SAN is more like serving raw 4KB hard drive sectors (or 512 byte sectors formerly). It's made of boxes full of hard drives doing nothing else (but well you can serve iSCSI from your desktop PC or raspberry if you wanted). Such that if you have two client machines writing to the same SAN volume or partition or virtual disk or whatever you call it, you will fuck the data up. (unless you have special measures maybe)
It allows to put a bunch of disks in the same place.

You have things like diskless NAS! a NAS server with no disks whatsoever inside it. Its "disks" are the SAN. Instead of SATA, IDE or SCSI cables you're using iSCSI, or FC, or FCoE as the "SATA cable". Also some people invented ATAoE, "ATA over Ethernet" because they were fed up how the iSCSI spec is a document like 800 page long. ATAoE is non routable while iSCSI works on TCP/IP.

I used iSCSI once : you can tell Virtualbox to use an iSCSI target as a "hard disk" so I did that and it worked. (using Virtualbox command line tools, and I had installed iSCSI on my crappy debian NAS)
You can also boot on iSCSI, 1U servers routinely do that in the datacenters. You can do that on a home PC as well using an improved PXE (gPXE, or maybe it's called iPXE now). It's literally possible to boot from the Internet this way!
I failed at getting that working, my goal was to boot MS-DOS on iSCSI because that's said to work and trivially do read/write - even though DOS is dumb as rocks and have no idea about networks or iSCSI, it will do this if something pretends to be a 1980s BIOS providing basic dumb I/O to a hard drive.

Re:dafuq is iScuzzi?

(same AC)

So the excerpt from TFA says :

This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices)

Perhaps "SAN" instead of "storage disk arrays" would have been more direct and to the point. "SAN" should be a widely recognizable industry term.
Internet accessible unsecured SAN is thus like direct access to a raw hard drive. It'd be like someone having physical access to a hard drive in the CP/M, DOS and minicomputer days.

Re:dafuq is iScuzzi?

News for Nerds.

And it's essential if you want to do things like virtualise your servers and run the storage across the network (so you can replicate your machines, access the same storage from multiple locations, etc.).

No it is not essential for that scenario but it is commonly used for that scenario just like fibre channel, nfs and smb3 aswell as various distributed filesystems solutions

why does SAN servers need pub ip's YMCA?

[Joe_Dragon]

why does SAN servers need pub ip's YMCA?

Whats is going on an local site to need an SAN for storage any ways?

Re:why does SAN servers need pub ip's YMCA?

why does SAN servers need pub ip's YMCA?

Whats is going on an local site to need an SAN for storage any ways?

Quick guess is support contracts required public ip to call home and then missconfigurations or bad decisions lead to iscsi being on those same ip:s without correct firewall rules.

ceph has better multi host HA

[Joe_Dragon]

ceph has better multi host HA