Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 13K iSCSI Storage Clusters Left Exposed Online Without a Password (zdnet.com)

Posted by msmash on from the security-woes dept.

Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

21 of 48 comments (clear)

  1. and we at Piped Piper are thankful by negrace · · Score: 1

    Thanks guys!

  2. "internet-accessible hard drives" by IWantMoreSpamPlease · · Score: 2

    What's wrong with this picture?
    Oh yeah, the same thing wrong with "the cloud"

    I still can't believe "the cloud" ever took off with the IT world...

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
    1. Re:"internet-accessible hard drives" by Anonymous Coward · · Score: 2, Interesting

      Oh yeah, the same thing wrong with "the cloud"

      iSCSI dates back to 1998. "The Cloud" dates back to 2006. iSCSI is intended to be used over a LAN, not the internet. This is a "misconfiguration" as said in the second word of the summary, not someone intentionally sharing data to the cloud or whatever you think it is.

    2. Re:"internet-accessible hard drives" by Anonymous Coward · · Score: 1

      The cloud is commercial time sharing and that dates back to the 1960s.

    3. Re:"internet-accessible hard drives" by luis_a_espinal · · Score: 1

      What's wrong with this picture? Oh yeah, the same thing wrong with "the cloud"

      I still can't believe "the cloud" ever took off with the IT world...

      The cloud took over IT because it made sense.

      The problem we are seeing here (not security your shit), that's been an old problem since offices started giving workers PCs connected to a LAN or whatever. Hell, I'll say this is just another manifestation of the same old problem of someone lending badges and id cards to a co-worker (or someone else) in the good old days of timesharing and mainframes.

      What we are seeing here is not a problem of "the cloud" or "IoT". It's product designers shipping products that do not require an authentication setup. There can be no product accessible with a default password over the wire.

      Then there is the issue of IT monkeys setting up IoT devices unprotected. I can understand someone leaving a smart thermostat unprotected. A iSCSI? On a cluster? C'mon, what's the excuse?

  3. Internet accessible? by grasshoppa · · Score: 3, Insightful

    I never understood this. Under normal circumstances it's quite difficult to make something internet accessible. Most firewalls, both corporate and consumer, by default use NAT with no forwarding, so under those conditions you'd have to go out of your way to make this happen ( ironic, given that if you have the knowledge necessary to do so, you know what not to do as well ).

    The only thing I can think of is that this is an org with a huge block of public IPs that are managed poorly, but I would expect this to be an edge case and not a part of all these risk vectors ( cameras, printers, workstations and now, apparently, disk systems ).

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Internet accessible? by DarkOx · · Score: 3, Informative

      i'll bet a lot of it is ipv6

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Internet accessible? by MightyMartian · · Score: 1

      Exposing an iSCSI node to the great big wide world seems to go beyond normal incompetence and borders on utter ineptitude. Not that any device with an IP shouldn't be locked down, even inside a LAN (that's a bad enough failure of security), but wow, the idiocy of actually throwing any iSCSI device on a routable IP just seems so jaw droppingly stupid.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:Internet accessible? by petermgreen · · Score: 1

      Not just one org, there are piles of orgs, especially in academia that have been on the net since before the eternal september and the IPv4 crunch and still run their networks in much the way they always have. Mostly open to the Internet with maybe some limited firewalling on ports particularly likely to be abused.

      Also when ever you rent a server or VM or colocation slot from a hosting provider it comes with a public IP open to the Internet by default. I could easilly see someone fed up with overpriced cloud storage shoving an iScsi storage array into a colo rack and just hooking it up to the hosting provider's network (wide open to the Internet) without thinking things through properly.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    4. Re:Internet accessible? by Anonymous Coward · · Score: 1

      OUR pr0n collection, Comrade!

      Typical damn greedy Capitalist, only thinking of himself!

    5. Re:Internet accessible? by ilsaloving · · Score: 1

      Same here. The only way this can happen is by sheer ineptitude.

      This is the double-edged sword of empowering people by making things simpler and more accessible. While it streamlines things for pros, it also allows dunning-krugers to think that they can punch above their weight, with the end results being what we see today.

      I've run into these kinds of people now and then, and... just wow. It's not even the incompetence that bugs me. It's the surety that they know what they're doing, and the completely obliviousness of their own lack of skill. One of these people cost me my vacation last year because they managed to cause a massive security incident which I then had to mitigate before things got even worse.

      It's why I despise things like Javascript and Visual Basic. Stop enabling people to code when they don't have the skills for it. Just because you can vomit some text into a browser that somehow manages to work despite your best efforts, doesn't make you the next rock star programmer that will change the world.

    6. Re:Internet accessible? by Antique+Geekmeister · · Score: 1

      There are a number of IPv6 enthusiasts who insist that NAT is evil and unnecessary and insist that all IP addresses should be public, that all should be left to an intelligently confifured and sophisticated firewall to protect the internal IP addresses even if they are routable. In the last 10 years, I haven't met any of these enthusiasts who competently run their firewalls, or who sensibly use the non-routable IPv6 address spaces for their devices.

    7. Re:Internet accessible? by Dagger2 · · Score: 1

      I'll bet it's not.

      It's trivially easy to exhaustively scan the entire v4 internet space. Trying to do the same to the v6 space isn't going to work. There are ways to pare down the search space somewhat, but ultimately Shodan is going to be listing every single exposed v4 service but not very many of the v6 ones.

  4. Why would iSCSI have a default route? by Aqualung812 · · Score: 1

    Seriously, I can't think of why you would let iSCSI traffic leave your storage VLAN.

    Connect everything that needs iSCSI with a dedicated iSCSI NIC or vNIC, and be done with it.

    I really don't want a router delaying or otherwise messing with storage packets anyhow.

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
    1. Re:Why would iSCSI have a default route? by ledow · · Score: 1

      I can't understand why anyone is running ANYTHING connected to the public Internet that's not behind a NAT/firewall that would stop all of these kinds of exposure.

      I mean, seriously - the problem is not the password. It's that's its even POSSIBLE to send and receive packets to these kinds of devices from the public Internet. It's just ridiculous.

    2. Re:Why would iSCSI have a default route? by LostMyAccount · · Score: 1

      You're not wrong that it's a bad idea, but I see it happen.

      There's a lot of inexpensive (mostly 10 gig) switching out there that can route IP with minimal latency, or at least so little added latency it doesn't matter for a lot of ordinary storage traffic.

      The other are data center expansions/contractions and some levels of same-campus, different-building high availability projects that work so long as you're able to route iSCSI traffic. I've also seen poor scaling decisions involving iSCSI subnets require additional IP space for node or storage unit expansion and no good way for devices to cross logical subnets without major reconfiguration/renumbering. Routing fixes this problem.

      Places that scaled up quickly from poorly planned environments often end up implementing iSCSI VLANs but originally didn't and have storage devices they still need to talk to on existing routed networks. I've seen some dev/test environments that got built from old production parts "on the side" wind up needing to be merged in with production to finalize app upgrades or something.

      Then there's just dysfunctional people/organizations. I've worked at places where either the storage guy or the network guy was just an asshole and wouldn't extend even marginal effort to help the other guy solve these problems.

  5. Complacent enough by Sean+Clifford · · Score: 1

    I'm not worried if we're being complacent, rather are we being complacent *enough*? (shrugs)

    (yawns) Maybe we should schedule a meeting to discuss the pros and cons of checking our storage to see if it's exposed.

    (consults calendar) Hmm, looks like the bigwigs are out this week. They won't have anything useful to contribute, but get upset if they're excluded from something important enough to be in the news. Hmm, next week a couple of key people are out for training. Well, the 15th is recuperation from GoT season 8, episode 1, and tax day, so --- okay, how about Tuesday the 16th at 3PM Central so we can include our West coast folks after their lunch but catch the East coast folks before they go home?

  6. why does SAN servers need pub ip's YMCA? by Joe_Dragon · · Score: 1

    why does SAN servers need pub ip's YMCA?

    Whats is going on an local site to need an SAN for storage any ways?

  7. ceph has better multi host HA by Joe_Dragon · · Score: 1

    ceph has better multi host HA

  8. Re:dafuq is iScuzzi? by ledow · · Score: 1

    News for Nerds.

    iSCSI has been around for decades. Think of it as SCSI over IP.

    And SCSI underpins a lot of things still... I take it you've never heard of SAS (serial attached SCSI) either?

    Pretty much anything you buy that's even remotely "server like" or "storage like" (even a cheap Netgear NAS) will offer iSCSI because so many people use it. And it's essential if you want to do things like virtualise your servers and run the storage across the network (so you can replicate your machines, access the same storage from multiple locations, etc.).

    I don't suggest that this site doesn't sometimes throw stuff at me and I think "Why the hell would I care?" but it tends to be business acronyms and weird niche stuff. iSCSI is literally inside every modern Windows (search for iSCSI initiators), every modern Linux, every NAS, every decent server (some of them use iSCSI to communicate with their own in-built storage, e.g. IBM BladeCenters) and you're a second away from discovering that it's just "SCSI-over-IP".

  9. Re:Idiots by LostMyAccount · · Score: 1

    Idiots get hired because there is more work (and potential revenue) than there are people employed to do it. The valuable work (interest, challenge, complexity, value) gets shoveled to the competent employees to keep them employees.

    The marginal stuff isn't valuable enough to hire higher wage employees, so compromises are made to bring in "just OK" employees to do it, and to demonstrate their value they overreach and fuck things up.

    At least this is how it works where I am.