iSCSI vulnerability reveals another avenue hackers are exploiting

There’s seemingly no end to the avenues for hackers to penetrate protected systems. From simple (yet dishearteningly still effective) email phishing to DDoS overloads to high-complexity malware/ransomware custom-built for specific targets, hackers are becoming ever more effective and creative in gaining access to sensitive systems. But the first line of defense is still your employees, and in a recent snafu, more than 13,000 data centers and remote servers (iSCSI storage clusters) were accessible via the Internet without any credentials… at all.

What is iSCSI and why does it matter?

iSCSI stands for Internet Small Computer Systems Interface, and is a protocol for linking workstations and servers to data storage devices, such as disk storage arrays (found in data centers and large enterprises) and network-attached storage (NAS) devices (found in people’s homes and small-to-medium businesses —SMBs).

The protocol’s main purpose is to allow an operating system to view and interact with a remote storage device, as if it was a local component, instead of an IP-based accessible system.”


It should come as no surprise that these systems often contain the most sensitive of data, so the iSCSI protocol supports various authentication measures the owners of which can set/control to prevent unauthorized access to their respective storage clusters and/or network drives.

The last thing you want is hackers gaining access to the protected data, or creating new storage drives on the local system.

Thousands of iSCSI clusters compromised

According to ZDNet:

…there is that small portion of device owners who failed to follow a minimum of security measures, and have left their storage arrays exposed online without authentication … Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices.”


ZDNet then went on to test these claims, coming away with some startling conclusions:

ZDNet found passwordless iSCSI-accessible storage systems belonging to a YMCA branch, a Russian government agency, and multiple universities and research institutes from all over the globe. Many of the IP addresses ZDNet found to expose an iSCSI cluster were also hosting password-protected web panels for NAS devices such as Synology, suggesting these devices had been properly secured with a password for the web panel, but not the iSCSI port.”


What it means for you and your business

So what are we to take from this breach? For one, there are layers upon layers to your security stack, and overlooking any of them can result in crippling vulnerabilities. Another is that if you’re using iSCSI solutions, they’re not intended to be used over the internet. In general, you shouldn’t open local-only services ot the internet. And in the offchance you absolutely have to, you should be using a VPN to do so.

That’s where a company like Leverage can really help out — we keep an eye on all this so you can focus on running your business; because our business is having your back.