Resecurity
warns
about
the
increase
of
malicious
cyber
activity
targeting
data
center
service
providers
globally.
According
to
the
detailed
reportrecently
released
by
the
California-based
cybersecurity
company,
during
September
2021,
Resecurity
notified
several
data
center
organizations
about
malicious
cyber
activity
targeting
them
and
their
customers.
Such
organizations
act
as
a
critical
part
of
the
enterprise
supply
chain
and
become
a
juicy
target
for
nation-state,
criminal
and
cyberespionage
groups.
The
details
about
this
activity
have
been
shared
with
the
affected
parties
and
national
computer
emergency
response
teams
in
China
and
Singapore
respectfully
for
further
analysis
and
risk
mitigation.
Further
updates
received
during
2022
and
in
January
2023
have
also
been
shared
with
U.S.
Law
Enforcement
due
to
the
significant
presence
of
major
Fortune
500
corporations
in
the
observed
data
sets.
Some
of
these
organizations
are
current
customers
of
Resecurity
and
were
notified
at
the
earliest
stage
of
the
campaign
development.
Many
of
them
interpreted
it
as
a
significant
risk
to
their
supply
chain
and
initiated
further
incident
response.
In
one
of
the
cases
reported
to
CNCERT/CC,
it’s
likely
the
initial
access
was
gained
via
a
vulnerable
helpdesk
module
having
integration
with
other
applications
and
systems,
this
could
allow
to
perform
lateral
movement
in
one
of
the
observed
episodes.
The
actor
was
able
to
extract
a
list
of
CCTV
cameras
with
associated
video
stream
identifiers
presumably
used
to
monitor
data
center
environments,
as
well
as
credential
information
related
to
operators
(IT
staff
at
the
data
center)
and
customers.
Once
the
customer
credentials
were
collected,
the
actor
performed
active
probing
to
the
customer
panels
aiming
to
collect
information
about
the
representatives
of
enterprise
customers
who
manage
operations
at
the
data
center,
list
of
purchased
services,
and
deployed
equipment.
During
the
1st
episode
of
the
identified
campaign,
the
actor
was
also
able
to
collect
cellphone
and
ID
card
numbers,
likely
to
be
used
for
certain
client
verifications.
After
communication
with
CNCERT
around
January
24,
2023,
the
affected
organization
forced
customers
to
change
their
passwords.
During
the
2nd
episode
of
the
same
campaign,
the
actor
was
able
to
exfiltrate
similar
records
from
another
data
center
organization
having
meaningful
footprint
in
APAC.
In
January
2023,
via
Human
Intelligence
(HUMINT)
sources
Resecurity
acquired
artifacts
which
may
confirm
the
successful
access
attempts
to
customer
portals
of
10
different
organizations,
some
of
which
were
based
in
India.
Notably,
the
observed
customer
portals
included
several
features,
typical
for
data
center
organizations
such
as
Remote
Hands
Service
(RHS),
access
permission
and
material
movement.
The
information
about
this
incident
has
been
shared
with
CNCERT/CC,
Singapore
Computer
Emergency
Response
Team
(SingCERT)
and
law
enforcement.
Resecurity
has
reached
out
to
multiple
parties
(clients
under
protection
and
partner
organizations)
in
order
to
collect
feedback
about
the
origin
of
those
credentials
–
some
contacts
confirming
the
use
of
the
credentials
have
been
utilized
by
them
and
their
IT
staff,
and
that
data
center
was
used
either
for
disaster
recovery
or
active
operations
in
the
region.
January
28,
2023
–
the
actor
published
the
stolen
data
for
sale
on
one
of
the
underground
communities
in
the
Dark
Web
often
used
by
initial
access
brokers
(IABs)
and
Ransomware
groups.
Likely,
the
reason
behind
this
step
was
in
an
unexpected,
forced
password
change
by
the
data
centers
organization
dating
back
to
the
1st
episode.
The
3rd
episode
of
the
campaign
was
related
to
a
U.S.
based
organization
–
operating
in
carrier
neutral
data
center
field
and
software
defined
data
center
offerings.
Notably,
the
organization
was
a
client
of
one
of
the
previously
impacted
data
centers
abroad.
The
information
about
this
episode
remains
limited
compared
to
the
2
previous
episodes,
but
Resecurity
was
able
to
collect
several
credentials
used
by
IT.
February
20,
2023
–
the
actor
published
a
significant
fragment
of
stolen
data
at
“Breached”
underground
forum
[post
1]
[post
2].
Most
organizations
identified
in
the
leaked
data
sets
relate
to
financial
institutions
(FIs)
with
a
global
presence,
investment
funds,
biomedical
research
companies,
technology
vendors,
e-commerce,
online
marketplaces,
cloud
services,
ISPs
and
CDN
providers
with
HQ
in
the
U.S,
the
U.K,
Canada,
Australia,
New
Zealand,
Singapore
and
China.
The
identified
campaign
may
highlight
the
importance
of
the
international
cooperation
and
proactive
threat
intelligence
sharing
due
to
significant
interconnection
between
data
centers
which
are
based
in
different
parts
of
the
world
similar
to
their
customers.
Targeting
data
center
organizations
creates
a
significant
precedent
in
the
context
of
supply
chain
cybersecurity.
Resecurity
expects
attackers
to
increase
malicious
cyber
activity
related
to
data
centers
and
their
customers.
Network
defenders
should
evaluate
proper
measures
to
mitigate
such
vectors
from
both
OT
and
IT
supply
chain
cybersecurity.
It’s
crucial
to
have
transparent
communication
with
suppliers
regarding
possible
cybersecurity
incidents
which
may
involve
client
accounts
and
related
data.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
data
center
service
providers)
Share
On
About Author
