Over 20,000 data center systems vulnerable to hackers

Over 20,000 data center systems vulnerable to hackers

Short News:-

Over 20,000 instances of publicly exposed data center infrastructure management software have been discovered by Cyble. The software could be used for a variety of catastrophic attacks. Without adequate protection, anyone can modify temperature and humidity thresholds, deactivate cooling units, turn off consoles, put UPS devices to sleep, or generate false alarms. Cyble discovered over 20,000 servers with exposed DCIM management interfaces. These interfaces enable attackers to remotely power off, power on, reboot and manage servers. Cyble has notified the CERTs in each country where the exposed systems are located.

Detailed News:-

Over 20,000 instances of publicly exposed data center infrastructure management (DCIM) software have been discovered that monitor devices, HVAC control systems, and power distribution units could be used for a variety of catastrophic attacks.

Costly systems that support business storage solutions, operational systems, website hosting, and data processing are housed in data centers.

Datacenter buildings must adhere to stringent safety regulations regarding fire protection, airflow, electric power, and physical security.

Years of pursuing operational efficiency have resulted in the development of "lights-out" data centers, which are fully automated and generally operate without staff.

However, these systems are not always configured correctly. As a result, while the servers themselves may be adequately protected against physical intrusion, the systems that ensure physical security and optimal performance are not always adequately protected.

Numerous instances of unprotected systems

Over 20,000 instances of publicly exposed DCIM systems have been discovered by Cyble investigators, including thermal and cooling management dashboards, humidity controllers, UPS controllers, rack monitors, and transfer switches.

Additionally, the analysts were able to extract passwords from dashboards, which they used to access the data center's actual database instances.

Cyble discovered applications that provide complete remote access to data center assets, generate status reports, and enable users to configure various system parameters.

In the majority of cases, applications used default passwords or were severely out of date, making it relatively easy for threat actors to compromise them or bypass security layers.

Potential possible implications

Without adequate protection, anyone can modify temperature and humidity thresholds, configure voltage parameters to dangerous levels, deactivate cooling units, turn off consoles, put UPS devices to sleep, generate false alarms, or change backup time intervals.

These are all potentially dangerous acts that could result in physical damage, data loss, or system destruction, as well as a significant economic impact on the targeted organizations and their customers.

A fire incident in the OVH datacenter in Strasbourg in March 2021 was caused by a failure in one of the building's UPS (uninterruptible power supply) units.

While that incident was not the result of hacking, it demonstrates the extent to which such attacks can harm service providers and their customers.

The fire destroyed thousands of servers, permanently erased data, and disrupted service to gaming servers, cryptocurrency exchanges, telecommunications firms, and news organizations, among others.

Even if there is no physical harm, adversaries can use their access to DCIM systems to exfiltrate data, lockout legitimate administrators, and eventually extort the data center owner.

In any case, the consequences are dire, and closing these loopholes should be a top priority. Cyble has notified the CERTs in each country where the exposed systems were located on that front.

Additionally, over 20,000 ILO interfaces are exposed.

Jan Kopriva, a security researcher, and ISC Handler discovered over 20,000 servers with exposed ILO management interfaces in addition to exposed DCIM instances.

HPE Integrated Lights-Out (iLO) management interfaces enable administrators to remotely power off, power on, reboot and manage servers as if they were physically present.

However, if not properly secured, threat actors will now have complete access to servers at the pre-boot stage, allowing them to modify the operating system or even the hardware configuration.

As with DCIM interfaces, it is critical to secure ILO interfaces properly and avoid direct Internet access to protect them from remote vulnerability exploitation and brute force password attacks.