Almost 13,500 iSCSI storage clusters publicly available without any authentication

• These open iSCSI storage clusters could allow attackers to access the internet-accessible hard drives such as storage disk arrays and NAS devices.
• The attackers could then replace the legitimate files with malware, insert backdoors inside backups, or steal any sensitive information stored on the unprotected devices.

What is the issue - A PenTester who goes under the name ‘A Shadow’ detected more than 13,500 iSCSI storage clusters that were left online without any password protection.

Why it matters?

• These open iSCSI storage clusters could allow attackers to access the internet-accessible hard drives such as storage disk arrays and NAS devices.
• The attackers could then replace the legitimate files with malware, insert backdoors inside backups, or steal any sensitive information stored on the unprotected storage devices.

What is iSCSI - Internet Small Computer Systems Interface (iSCSI) is a protocol used for linking workstations and servers to data storage devices, such as disk storage arrays and network-attached storage (NAS) devices.

The big picture

A Shadow, the pentester who detected over 13500 unprotected iSCSI storage clusters, analyzed the leaky storage devices and found out that these clusters belong to private companies.

The PenTester also notified ZDNet about the leaky storage devices, describing the iSCSI exposure as a ‘dangerous backdoor’ that could allow attackers to plant ransomware-infected files on companies’ networks, steal company data, or drop backdoors inside backup archives.

ZDNet analyzed the samples of misconfigured iSCSI clusters and found out that the storage devices belong to a YMCA branch, a Russian government agency, and several educational and academic institutions, universities, and research institutes across the world.

“Many of the IP addresses ZDNet found to expose an iSCSI cluster were also hosting password-protected web panels for NAS devices such as Synology, suggesting these devices had been properly secured with a password for the web panel, but not the iSCSI port,” ZDNet reported.