International. On the night between Saturday, February 19 and Sunday, February 20, Axis was the target of a cyberattack, the company said in a detailed report, where it explained that the attackers used various combinations of social engineering to be able to log in as a user despite protection mechanisms such as multi-factor authentication.
Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services.
Axis' threat detection systems alerted personnel to incidents of unusual and suspicious behavior, and investigations began early Sunday morning, February 20. At approximately 9 am CET on Sunday morning, IT management decided to bring in external security experts and at approximately 12:00 (noon), it was confirmed that the hackers were active within Axis networks. The decision was made to disconnect all external connectivity immediately as a way to isolate intruders.
By 6:00 p.m. all access to the network had been closed globally. The measure had the intended effect of preventing access for intruders.
It also resulted in a loss of external services for Axis staff, such as incoming and outgoing email. Partner services were also affected, as axis.com and extranets were not available.
Investigations quickly showed that parts of the server infrastructure had been compromised while others remained intact.
Forensic work and cleaning and restoration projects of the affected components were immediately started with the intention that, quickly and gradually, their operation is normalized.
Global production and supply chain were largely unaffected throughout the period. The first customer-oriented services were available on Sunday evening, February 20.
Gradually, in the following days, more and more external services were released and again available online, including business services, main parts of axis.com, and email services.
The status of Sunday, February 27, the most recent presented by the company, is that most of the external services have been restored and some are still waiting for the security authorization. As for Internet-oriented services, Axis currently operates in a restricted mode. "This will continue as long as the forensic investigation is ongoing and until cleaning and restoration is complete. This primarily affects our internal workflows and has a very limited effect on customers and partners. We expect the final parts of our customer-facing services to be fully available within a few days," the report said.
Findings so far
The company explained in its report that no encrypted servers have been found, "but we found malware and indications that internal directory services were compromised. Customer information has not been found to be affected in any way. In total, we found limited signs of harmful consequences in addition to general embarrassment and lost productivity as we clean up services for production step by step."
The attackers used multiple social engineering methods to gain access despite the brand's security mechanisms. The improvements already made are changes that reduce the risk of human error. Technical safety mechanisms have generally been approached transversally to limit the risk of any similar future event. The effect is greater security at the expense of slightly less fluid workflows.
"Needless to say, we are humble before and because of the gravity of the situation. We are also grateful to have been able to detect and stop an ongoing attack before it had much more lasting effects."
"Once all systems have been restored and the investigation has concluded, this incident will be extensively analyzed to determine appropriate next steps. We would like to assure you that this incident only reconfirms our full commitment to the principles of cybersecurity and its protection. To help prevent future intrusions, we will continue to increase our investment in security, training and education," said Leopoldo Ruíz, AXIS LATAM Regional Director.
The company said it will present more information if its ongoing investigation uncovers events of greater relevance.
Source: Axis Communications.
