On Tuesday March 9th, Bloomberg reported that threat actors had breached security camera feeds by Verkada Inc, a Silicon Valley startup, gaining access to almost 150,000 video surveillance cameras inside hospitals, organizations, police departments, prisons and schools. This was an unsophisticated hack, i.e the threat actors found exposed credentials for an administrator’s account on the Internet.

While many security vendors are claiming that they could have detected the breach, note that in this specific case the credentials used were valid administrative credentials that provided access to multiple feeds from multiple customers in the Verkada cloud servers and not customer networks. Additionally, because of Verkada’s architecture, every feed from an organization’s cameras was encrypted and sent directly to the cloud. Therefore, any on-premises security solution would not have detected any anomalies from the cameras as they were simply streaming video to the centralized cloud server.

However, there are several security learnings from this incident:

• Real-time visibility is critical – Video surveillance cameras are pervasive, and just like many IoT devices, are not built with security in mind. Security starts with knowing what’s on your network. Our customers use our inventory dashboard to find devices like Verkada or any other video surveillance cameras in their network.

• Profile risks and behavior– It’s important to not only identify devices, but also understand the risks they bring and map how they communicate. In one Ordr deployment, we found that 60% of an organization’s cameras deployed in hundreds of facilities world-wide were using default passwords that were published on the Internet. And some of these cameras were running “non-production” software, calling home to their R&D center in China periodically. Once you understand risks and baseline normal communications, you can create segmentation policies to enable devices access required for its role while limiting exposure.
• Monitor admins, users and access – Always make sure that admin maintenance accounts are secured properly, and monitor users and access. As outlined in this blog, Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, so you can monitor which user is accessing what devices at what time. We also monitor supervisory protocols SSH, Telnet, RDP, and can monitor access by corporate versus guest users.

Organizations must look at the rapid growth of connected devices (ie. digital transformation) as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s).

This week SolarWinds announced that they were breached earlier this year and the attackers were able to place malicious code within their build systems for their Orion product. This malicious code was subsequently; compiled, tested, signed, and delivered to SolarWinds customers in March 2020. The last week has been very interesting as a supply chain breach of this magnitude has only been theorized and discussed in security tabletop exercises. After the SolarWinds breach announcement we have been working with several Ordr customers and partners in order to facilitate both detection of malicious activity associated with this breach and for some customers facilitate the detection of these SolarWinds devices on the network so that they could be taken down.

Currently, Ordr has the ability to detect the command and control (C2) servers utilized in the Domain Generation Algorithm (DGA) of this SolarWinds malware through our malicious communication detection service. Ordr monitors all device communications within the network and if we see a connection or DNS lookup to one of the malicious domains associated with this malware (*.avsvmcloud.com – as part of the countermeasures by FireEye: https://github.com/fireeye/red_team_tool_countermeasures) we will alert the Ordr SCE operators.

Additionally, we have deployed several detection signatures to our deep packet inspection (DPI) intrusion detection system (IDS) that looks for both the malicious communications associated with this SolarWinds malware and the lateral movement techniques that FireEye and Microsoft discovered when researching the threat actors utilizing the SolarWinds malware.

Of course, since Ordr has the capability to detect and classify all systems on the network we are able to detect any SolarWinds systems that exist at any time on the network.

SolarWinds has provided a hotfix (2020.2 HF 1) and is providing an additional hotfix (2020.2 HF 2) today to all of their customers. We urge all SolarWinds customers to apply these patches to their systems and to aggressively monitor the SolarWinds servers for any anomalies.

Additionally, we are urging anyone that utilizes SolarWinds Orion to change any authentication credentials that were stored inside the Orion system and to consider all authentication credentials compromised if they were stored inside the Orion system within the last 10 months.