This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.
As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.
This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.
https://www.theverge.com/2021/3/9/22322122/verkada-hack-1500...
Hackers gained access to over 150,000 of [Verkada]’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.
This sounds silly, of course, but it wouldn't surprise me if someone cheaped out somewhere and connected two networks that should never be connected together.
This explanation begs the obvious question, why were they still connected to Cloudflare's internal network for nearly a year? Does Cloudflare just keep paying rent for 'officially closed' offices? Obviously this ArsonCats group is exaggerating the extent of the hack but this official explanation from Cloudflare doesn't exactly pass the sniff test either.
Under those circumstances it definitely makes sense to keep the cameras on.
Well... yes. We intend to open them again when the pandemic is over.
Note in both screenshots, copious amounts of 'mmcblk0pXX', that looks like an embedded device. Probably the same cameras this group found vulns in. The idea that those cameras somehow give access to all of cloudflare, or all of OKTA, is wrong and clickbait and sensationalist.
By the way, according to github [1] this girl is in Switzerland. There exist extradition treaties, and she is not operating under a pseudonym. These are publicly traded companies. She could very easily find herself in prison for this.
[1]: https://github.com/deletescape
edit: wording.
[2] https://twitter.com/nyancrimew/status/1367871797631348738
[3] https://twitter.com/nyancrimew/status/1364598743564251136
[4] https://twitter.com/nyancrimew/status/1367523201174110216/ph...
EDIT: Her account is suspended. Provided archive links where available
Oh, wait, neither Cloudflare nor Okta were hacked. Crappy IoT devices on their networks - quite likely isolated or untrusted - were hacked.
Frankly if these companies trusted their 'corporate networks', THAT would be the story here. But the fact that someone hacked their cameras was both posted here a few hours ago[1] and not news[2].
[1] https://news.ycombinator.com/item?id=26405056
[2] Seriously! How is "more IoT devices hacked" still a story? It's literally a continuous occurrence. Piss off.
I disagree. From my experience there are many big corps out there that use VLANs but don't properly secure them. And even if they did I expect pivoting from these hosts would be trivial when compared to getting in externally.
Finally, these cameras aren't alone. They're often integrated into a centralized controller which has to be routable by both the cameras as well as the host/hosts required to review the footage. So even IF they were properly segmented there's still most likely a path to the 'corp' VLAN.
BTW, the central controller for these cameras is "in the cloud". That's how they were hacked. Keep up.
That's not good, but it's bullshit to claim, "if we wanted to we could have probably owned half the internet in like a week." I seriously doubt that any of these companies have their security cameras on the same networks as anything sensitive, let alone production infrastructure. Heck, I doubt that any have their cameras on the same networks as developer machines (which are used on public networks all the time and can have all kinds of dubious software installed on them).
Hell the offices being closed and having control of the security cameras offers what sounds a lot like the start of a great way to break in quietly and get physical access. How many systems do you know that are secure if you can touch them?
More importantly: at most companies, accessing sensitive systems requires more than just a username and password. Pretty much every place requires TOTP or HOTP, often via a hardware token. Many firms also restrict access to specific machines.
all we've gotten this decade were super quiet "state-level actors", and uninspired trolls
I want the "for the lulz" ASCII art pros dropping MIDI music while also pillaging corporations and leaking secrets
make a festival out of it.
I think its coming, a hack that incorporates the best of the latest hacks. Like making a docker disk image of content that was leaked, so that all the other hackers (including the original hacker) have plausible deniability and don't violate the CFAA
https://meduza.io/en/feature/2021/01/21/thanks-for-the-data-...
[0] https://en.m.wikipedia.org/wiki/Max_Headroom_signal_hijackin...
Not a huge deal though, this will hopefully cause them to look at truly closed circuit or isolated cameras.
CloudFlare & Okta is insane though.
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
[1] https://twitter.com/nyancrimew/status/1369388911693340674
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
Oh, skids. Pop a single shell in a disposable environment in some corporate hellscape cloud infra and they think they can pwn the interwebs. I'm sure you could root some shitty Fargate container of some shitty web app in my company, too, but you literally can't get to any other network from it.
They'll be dining out on this for years on irc. (do the kids still irc? is twitter the new irc?)
Blah blah Twitter makes for crap HN articles etc
