As details of the February attack continue to be divulged, it becomes evident that cybercriminals were able to get past both users and security controls.
On the evening of Sunday, February 19th, Axis became the victim of a cyberattack that, according to Axis, allowed threat actors to “elevate their access and eventually gain access to directory services.” The attack was discovered when “Axis threat detection systems alerted incident staff of unusual, suspicious behavior.”
In diving into the provided details on Axis’ attack response page, we come to understand some details about the nature of the initial attack. According to Axis, “Using several combinations of social engineering, attackers were able to sign in as a user despite protective mechanisms such as multifactor authentication.”
When I hear “social engineering” and the mention of “multifactor authentication”, I assume this was a phishing attack that successfully compromised a user’s credentials either initially online or on their endpoint. It’s helpful to the cybersecurity community when victim organizations provide some level of details about the attack so we all can learn.
The good news is, according to Axis, it appears that while access was attained, no data other than (I’m guessing) detail from within their Directory Service (the response page says “Axis contact information including employee names and phone numbers”) was exfiltrated.
Moving forward, Axis needs a few obvious additions to their layered security strategy:
- Something to address elevation of privileges – a Privileged Access Management (PAM) solution, perhaps to isolate privileged accounts
- Something to address the social engineering tactics – Security Awareness Training is the right choice here to educate users on tactics used and how to spot attacks before credentials are compromised.
