Posted on March 6, 2023 at 7:28 AM
Hackers steal login credentials from two leading Asian data centers
Hackers gained access to the login credentials of data centers in Asia. The data centers in question are used by some of the largest corporations globally. The data stolen by the attackers includes the email addresses and the passwords of customer-support websites belonging to two of the largest data centers in Asia. The breach on the two data centers is believed to have affected around 2000 customers.
Hackers steal login credentials for Asian data centers
The breach was detected by the Resecurity cybersecurity firm in September 2021, but it was only disclosed to the public after a hacker leaked the login credentials stolen during this attack in a hacking forum. The hackers further used the stolen credentials to conduct investigations on users, portals, services and access CCTV footage.
The Resecurity cybersecurity company noted that the threat actors had infiltrated two of the largest data centers in Asia. After the breach, the hackers leaked the login credentials of some of the largest companies globally such as Apple, Amazon, Huawei, Samsung and Microsoft. Besides tech giants, the other institutions affected by the breach include BMW AG, and Walmart.
Companies based in Asia were also affected including Alibaba Group Holdings Limited and a foreign exchange platform based in China. The large size of the companies that were affected in this breach shows that the effects of the campaign could be severe.
GDS Holdings based in Shanghai and ST Telemedia Global Data Centers (STT GDC) based in Singapore are the two companies operating the data centers infiltrated by hackers. in one of the incidents, the hacker allegedly obtained access through a helpdesk or by submitting a support ticket to exploit the system that has been integrated with other systems, enabling lateral movement.
The threat actor obtained access to CCTV cameras and the login credentials of the company’s customers and IT staff. The hackers also used the stolen login data to search the customer representatives of this enterprise managing the data centers and to access information pertaining to purchased services and the deployed equipment.
The hackers also went through the Remote Hands Services (RHS) including FreeIPMI, iDRAC and OpenBMC, which are used by customers who want to manage their servers remotely.
Following this breach, the attackers managed to collect around 2000 records, which largely comprised the login credentials such as email addresses, telephone numbers, identification cards, and other information used to verify client data. The hackers also infiltrated an internal email account that is used to register visitors on the platform.
The breach was reported to the CNCERT/CC computer emergency response team based in China on January this year. The breach affected customers that were forced to change their login credentials.
The threat actors allegedly stole 1,210 customer records from SSTT GDC, a data center based in Singapore. This attack was also conducted through an exploit on the helpdesk, customer service portal and ticket management system.
The hackers stole passwords from the customer support platform and later used the stolen login credentials to infiltrate the system to conduct more hacking campaigns. Moreover, the hackers also tried to access around ten organizations, with one of them located in India.
The Resecurity cybersecurity company could not confirm if these threat actors were successful in infiltrating the targets. According to STT GDC, the attempts made by the hackers were not successful. The Resecurity firm also notes that the customers affected by the breach were those that did not reset their passwords.
The researchers further added that, “It is not clear if such access was possible simply because multiple customers didn’t change their passwords after the incident in 2021, lack of awareness or response, or the episode may have been interpreted as ‘new’.”
Resecurity reported the breach to the CSA SingCERT in Singapore, and shared the information with law enforcement authorities in Singapore, as the breach might have affected Fortune 500 companies.
Hackers publish stolen login credentials on hacking forums
The hacker publicly disclosed the stolen login credentials on a hacking forum. According to Resecurity, the hacker might have initially tried to monetize the data but it lost value after the passwords were reset. On the other hand, the breach might have been conducted by a state-sponsored hacker looking to hide their activity.
Resecurity could not confirm the total number of threat actors that downloaded the leaked login credentials. A report by Bloomberg had said that these hackers had maintained access to the stolen login credentials for more than one year, and at the time, the credentials were still working. They later tried to auction the data to other hackers, before publishing it for free.