Researchers have produced a report about threat actors targeting multiple data centers in several regions globally resulting in the exfiltration of information about some of the world’s biggest companies and the publishing of access credentials on the dark web.
Researchers did not name the victims, but according to several other reports, the cyberattacks stole data center credentials from major corporations including Alibaba, Amazon, Apple, BMW, Goldman Sachs, Huawei Technologies, Microsoft, and Walmart.
The report goes back to a timeline and marks September 2021, when researchers were warned about a malicious campaign to target datacenters with further updates about two other campaigns during successive years (2022 and 2023).
The credentials pertained to data center organizations and were exfiltrated during various malicious campaigns published in the underground forum Breached.to.
Several threat actors on the dark web, with an Asian origin, managed to access customer records and exfiltrate them from one or multiple databases related to specific applications and systems used by several data center organizations.
As per the researchers, the mode of operation is of anyone from the below list and are used as an initial access broker.
- Helpdesk systems, customer service, ticket management, and support portals.
- Devices that may be potentially probed remotely including CCTV equipment, and watchdogs.
- Data center visitors’ management systems.
- Email accounts belonging to data center IT staff and their customers.
- Remote management and device monitoring solutions.
- Integrated Lights-Out, or ILO, a proprietary embedded server management or similarly related technology such as OpenBMC, FreeIPMI, and iDRAC.
While in September 2021, when the campaign was first observed, the threat actor was able to collect various records from over 2,000 data center customers. These included credentials, e-mail, mobile phone, and ID card references, likely to be used for certain client verification mechanisms. The actor was also able to compromise one of the internal email accounts used to register visitors, which could then be used for cyber espionage or other malicious purposes.
While in 2022, In the second campaign, the actor was able to exfiltrate a customer database presumed to contain 1,210 records from a data center organization headquartered in Singapore.
While in this year, which was observed in January this year, involved an organization in the US that was a client of one of the previously impacted data centers.
On January 28, data stolen during the campaign was published for sale on an underground community on the dark web called Ramp, which is often used by initial access brokers and ransomware groups.
The next step is immediate monetization because the threat actor realized the activity could be detected and the value of the data might be reduced.
A report from Bloomberg reported that Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres are among the victim organizations. GDS has acknowledged that a customer support website was breached in 2021 and said that there was no risk to clients’ IT systems or data, ST Telemedia also said there was no risk to clients.
According to researchers, Organizations identified in the leaked data sets are headquartered in the US, UK, Canada, Australia, Switzerland, New Zealand, and China, and are financial institutions with a global presence as well as investment funds, biomedical research companies, technology vendors, e-commerce sites, cloud services, ISPs, and content delivery network companies,
Details of the malicious activity have been shared with the affected parties and national computer emergency response teams (CERTs) in China and Singapore.
The research was documented by the firm Resecurity and it also shared information with US law enforcement as there was a significant amount of information related to major Fortune 500 corporations in the data sets.