Datacenters in China, Singapore cracked by crims who then targeted tenants
Infiltrators tried to create fake remote hands tasks, alter visitor lists
Criminals have targeted datacenter operators in Singapore and China, tapping into their CCTV cameras, accessing their tenant lists and then attacking those customers.
That's the scary scenario outlined by infosec vendor Resecurity, which has detailed malicious campaigns said to have started in 2021 but became apparent earlier this month when info dumps were teased on the notorious Breached.to forums.
"Resecurity identified several actors in the Dark Web potentially originating from Asia, they managed acquired access to the 'customer' records and exfiltrated them from one or multiple databases related to specific applications and systems which are leveraged by several datacenter organizations," the security boffins' description of the incident states.
In one of the cases, in China, Resecurity asserts that "initial access was gained via a vulnerable helpdesk or ticket management module having integration with other applications and systems, and based on our assessment could allow them to perform lateral movement in one of the observed episodes."
That lateral movement included accessing a list of the datacenter operator's CCTV cameras "with associated video stream identifiers used to monitor datacenter environments, as well as credential information related to operators (IT staff at the datacenter) and customers."
The crims scooped customer credentials and then went to work in their control panels "to collect information about the representatives of the enterprise customers who manage operations at the datacenter, list of purchased services, and deployed equipment."
- Open source software has its perks, but supply chain risks can't be ignored
- Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appears
- Live Nation CFO on Taylor Swift ticket chaos: Don't blame me, bots made me crazy
- The world is 'clearly' not prepared for cyberwarfare
The attackers also tried to tap into the remote hands service offered by the datacenter operators – services that see datacenter staff perform physical and software maintenance of tenants' kit. The potential for mayhem flowing from directing remote hands to perform fake tasks is considerable.
So does accessing tenants' approved visitor lists – another tactic Resecurity states it observed in China.
"The actor was able to compromise one of the internal email accounts used to register visitors – which could then be used for cyber espionage or other malicious purposes" because "Information about visitors may disclose important information about the exact staff responsible for datacenter operations from the client side."
Once an attacker knows who is allowed to visit a datacenter, securing that person's credentials presumably shoots up the to-do list.
In the second case, in Singapore, Resecurity again believes that the attack started with action against a customer service portal, helpdesk, and/or ticket management system. That effort yielded details of the datacenter's tenants and potentially allowed the attackers to order remote hands services and movement of materials within the datacenter. It may also have been possible for the attackers to change tenants' access permissions. The vendor has reported this incident to CSA SingCERT.
Resecurity also detected action against a US-based organization it says operates in the "carrier neutral datacenter field" and which "was a client of one of the previously impacted datacenters abroad."
Terrifyingly, when Resecurity interviewed clients of the Singapore datacenter, it was told they were not informed of the incident.
The Chinese and Singaporean bit barn barons have, however, advised customers to reset passwords since the February info dumps appeared online.
Resecurity has suggested the attacks are an evolution of the supply chain attacks that saw SolarWinds and Kaseya attacked to gain access to their many managed services provider clients – who in turn oversee client systems.
Datacenter operators certainly present a similarly tempting target. A big operator will likely have hundreds of clients whose co-located kit hums along inside their walls.
Giant datacenters can even host hyperscalers. And the prospect of criminals gaining a handhold in the millions of servers operated by AWS, Azure, or other major clouds is surely close to a worst-case scenario for millions of IT shops. ®