The recent breach of Silicon Valley start-up Verkada by the hacker collective APT 69420 using an administrative account feels like Groundhog Day. Certainly, the fact that a username and password for an administrator account was available on the internet is a huge problem. But even with this information exposed, the anomalous behaviors and activities that APT 69420 perpetrated – abnormal access, length of sessions, code execution, file viewing and movement – should have raised red flags.
We as an industry decided a long time ago that ‘protection’ is a goal, not an absolute and thus detection and response was required. So why then is the news cycle full of continuous breaches that indicate that we still aren’t watching the right things close enough?
According to the March 9, 2021 article in the Los Angeles Times written by William Turton of Bloomberg, “the hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, enabling them to peer into the cameras of all of its customers.” This seems to be a growing method of attack by external hacker groups because of the unfettered access and footholds for lateral movement and future hacks these ‘Super Admin’ accounts provide.
The article quotes Tillie Kottmann, one of the hackers affiliated with APT 69420, as saying “the group found a username and password for an administrator account publicly exposed on the internet. This allowed them “to obtain ‘root’ access on the cameras, meaning they could use the cameras to execute their own code… obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature.”
While code execution by a ‘Super Admin’ account is not unusual, the type of code being executed, when (day/time), how (tools used), and why (in context of normal business processes or planned configuration schedules) in most cases follow a defined enterprise IT process. Abnormalities in this process and deviations from normal ‘Super Admin’ user account behaviors are all ‘Indicators of Intent’, if the right meta-data is visible, collected and synthesized that is.
In addition to achieving root access, Kottmann said “they were able to download the entire list of thousands of Verkada customers, as well as the company’s balance sheet, which lists assets and liabilities.” This exfiltration of corporate data raises additional questions about data protection and IP controls. Every data loss event has a kill chain, even when it’s an inside job. Visibility into early attack stages such as Reconnaissance, Circumvention, Aggregation, and Obfuscation can and should be gained by understanding user behavior and deviations from the norm.
Perhaps most disturbing and concerning however with this attack was that hackers ‘watched through the camera of a Verkada employee who had set one of the cameras up inside his home. One of the saved clips from the camera shows the employee completing a puzzle with his family.’ This is an incredible violation of this employee’s privacy and reinforces the concerns raised about employee monitoring during the accelerated shift to remote work during the COVID-19 pandemic.
The Verkada breaches raises many questions and highlights the need for human-centric cyber security intelligence that prioritizes privacy while protecting corporate assets and IP.