Several data center organizations were recently alerted by Resecurity regarding a malicious cyber campaign that has set its sights on targeting both the organizations and their respective clients.
In September 2021, an early-warning threat notification was issued to inform about the possibility of malicious activity targeting certain entities. Subsequent updates were released in 2022 and January of 2023, keeping concerned parties apprised of the evolving situation.
Recently, there has been a surge in cyber-attacks against cloud service providers (CSPs) and managed services providers (MSPs).
All these attacks were orchestrated by the threat actors who attempted to exploit vulnerabilities in the cybersecurity supply chain, with the ultimate aim of gaining unauthorized access to sensitive information belonging to targeted government organizations and businesses.
A data center is a substantial target for attackers and an essential component of the supply chain of most enterprises.
Datacenter Customers and Data Impacted
The cybersecurity analysts at Resecurity unveiled that a number of large data center customers have been affected by this breach, including the following:-
- Alibaba Group Holding
- Amazon
- Goldman Sachs Group
- Walmart
It has been discovered that data related to the following has been mainly targeted and stolen from the data centers:-
- Customer service
- Ticket management
- Support portals
- Remote management services
- Datacenter employee
- Customer email account credentials
This data was used by adversaries to gain access to embedded server management services and investigate deeper into systems, as well as to gain deeper penetration into systems.
Recently, it has come to light that the login credentials for certain data center organizations have been posted on an underground forum called “Breached[.]to.”
The Department of Justice recently seized the infamous “Raidforums,” a well-known online platform for cybercriminals to trade and sell stolen data. As a result of this shutdown, a successor to the platform has emerged as “Breached” which has quickly gained notoriety among the cybercriminal community.
Given the significant number of major Fortune 500 companies represented in the data sets obtained during the investigation, the information has been shared with US law enforcement agencies.
Further Analysis
On the Dark Web, the cybersecurity experts at Resecurity have uncovered the presence of various threat actors, with indications suggesting that they may have Asian origins.
There are a number of CCTV cameras used in data centers as a means of monitoring the environment and that list was extracted by the actor. It was also found that they extracted credential information pertaining to the following areas:
The actor then performed active probing of the panels of the customers after they had gathered the credentials of the customers in order to collect the following information:-
- Data center operations managers for enterprise customers
- List of purchased services
- Deployed equipment
With the help of Human Intelligence (HUMINT) sources, Resecurity executed its investigation to uncover evidence that 10 different organizations were successfully accessed in January 2023, including some Indian companies.
In the Dark Web, under one of the underground communities, the actor published the stolen data on January 28, 2023. Ransomware groups and initial access brokers frequently use stolen data sets as part of their operations.
There are a number of financial institutions from around the world that have been identified in the leaked data sets. Such institutions include:-
- Investment funds
- Biomedical research companies
- Technology vendors
- E-commerce
- Online marketplaces
- Cloud services
- ISPs
- CDN providers
While most of the organizations are from the following countries:-
- The U.S.
- The U.K.
- Canada
- Australia
- Switzerland
- New Zealand
- China
Security professionals are being urged to step up evaluations and mitigation efforts linked to both OT as well as IT supply chain security in order to increase their effectiveness.
The importance of having transparent communication with suppliers is also vital if a cyber-attack occurs that may compromise the private data of clients and their accounts.
Network Security Checklist – Download Free E-Book