Over 13K iSCSI storage clusters left exposed online without a password

New attack vector opens backdoor inside enterprise disk storage arrays and people's NAS devices.
Written by Catalin Cimpanu, Contributor
storage disk array

Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication.

This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices.

What is iSCSI

iSCSI stands for Internet Small Computer Systems Interface, and is a protocol for linking workstations and servers to data storage devices, such as disk storage arrays (found in data centers and large enterprises) and network-attached storage (NAS) devices (found in people's homes and small-to-medium businesses --SMBs).

The protocol's main purpose is to allow an operating system to view and interact with a remote storage device, as if it was a local component, instead of an IP-based accessible system.

iSCSI is a core component of the modern computing industry, as it allows virtual machines (VMs) to boot from remote hard drives as they'd be local devices; allows companies to centralize storage systems without breaking apps that can't handle IP-based network storage paths; and is a crucial part of many data replication solutions.

The misconfiguration boo-boo

Naturally, because of the sensitive data these systems often contain, the iSCSI protocol supports various authentication measures, which device owners can set up to prevent unauthorized parties from connecting to their storage cluster and access storage drives, interact with the data, or create new storage drives.

But just like in the case of many internet-connected devices, such as routers, databases, web servers, and others, there is that small portion of device owners who failed to follow a minimum of security measures, and have left their storage arrays exposed online without authentication

This means that anyone knowing basic details about some of these systems can follow simple YouTube video tutorials and connect to these storage clusters, may them be large-scale disk arrays inside a company's data center, or tiny NAS devices left in an office corner.

Thousands of iSCSI cluster available via Shodan

Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices.

iSCSI systems on Shodan

In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

In a cursory investigation of a small sample of exposed iSCSI clusters, ZDNet found passwordless iSCSI-accessible storage systems belonging to a YMCA branch, a Russian government agency, and multiple universities and research institutes from all over the globe.

Many of the IP addresses ZDNet found to expose an iSCSI cluster were also hosting password-protected web panels for NAS devices such as Synology, suggesting these devices had been properly secured with a password for the web panel, but not the iSCSI port.

In addition to our separate investigation, A Shadow, who has spent a few days analyzing the results, said that many of these iSCSI clusters also belong to private companies, which can be ideal targets for cyber-criminal groups, and especially ransomware gangs targeting big ransom payouts.

Such systems may be a little harder to spot in Shodan search results during short lookups, but a cyber-criminal gang looking to maximize its profits will be, without a doubt, willing to thoroughly research each exposed iSCSI cluster for its next big hit.

Updated on April 3: Following ZDNet coverage of this serious security issue, the team at Synology, whose users were among those affected, wanted to relay the following message to all customers in regards to iSCSI support in its products and the best way to configure it.

Synology states that iSCSI, like SMB, is not intended to be used over the internet, and does not suggest it. iSCSI is not accessible over QuickConnect, and DSM does not make port forwarding rules for this service automatic when users do the optional router setup. Synology strongly discourages opening up local-only services to the internet. If users must do so for whatever reason, a VPN should be used.

Additionally, although iSCSI typically does not use passwords, for those that want one can enable a feature called CHAP authentication: https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/iSCSIManager/target

Data leaks: The most common sources

More cybersecurity coverage:

Editorial standards