More than 20,000 data center management systems exposed to hackers

0

Researchers have discovered more than 20,000 instances of publicly exposed data center infrastructure management (DCIM) software that monitors appliances, HVAC control systems and power distribution units, which could be used to a range of catastrophic attacks.

Data centers house expensive systems that support enterprise storage solutions, operational systems, website hosting, data processing, and more.

Buildings that house data centers must adhere to strict safety regulations regarding fire protection, air circulation, power supply and physical security.

Years of operational efficiency research have introduced “lightless” data centers, which are fully automated facilities that are managed remotely and typically operate without staff.

However, the configuration of these systems is not always correct. Therefore, while the servers themselves may be adequately protected from physical access, the systems that provide optimal physical protection and performance sometimes are not.

Several cases of unprotected systems

Cyble investigators found over 20,000 instances of publicly exposed DCIM systems, including thermal and cooling management dashboards, humidity controllers, UPS controllers, rack monitors and transfer switches.

Rack Details on Exposed Data Center
Rack Details on Exposed Data Center
Source: Cyble

Additionally, analysts were able to extract passwords from dashboards which they then used to access actual database instances stored on the data center.

Databases consulted in the second phase
Databases consulted in the second phase
Source: Cyble

Applications found by Cyble give full remote access to data center assets, provide status reports, and offer users the ability to configure various system settings.

Sunbird dashboard
Sunbird dashboard
Source: Cyble

In most cases, apps used default passwords or were severely outdated, allowing hackers to compromise them or bypass security layers quite easily.

Device42 Systems Dashboard
Device42 Systems Dashboard
Source: Cyble

Potential impact

Exposing these systems without proper protection means anyone could change temperature and humidity thresholds, set voltage settings to unsafe levels, disable cooling units, shut down consoles, power up inverters, sleep, create false alarms or change backup time intervals.

Access temperature threshold settings
Access temperature threshold settings
Source: Cyble

These are all potentially dangerous acts that can result in physical damage, data loss, system destruction, and significant economic impact on targeted organizations and their customers.

An example is a fire in the OVH data center in Strasbourg in March 2021, caused by a failure of one of the building’s UPS (uninterruptible power supply).

Although this event was not the result of a hack, it illustrates the extent of the damage that such attacks can cause to service providers and their customers.

The blaze consumed thousands of servers, irreversibly erased data, and caused downtime for game servers, cryptocurrency exchanges, telecommunications companies, news outlets, and more.

Even if no physical damage is caused, adversaries can use their access to DCIM systems to exfiltrate data or lock out real administrators and possibly extort the owner of the data center.

The implications, in any case, are dire, and closing these loopholes should be a priority. On that front, Cyble notified the CERTs of each country where the exposed systems were located.

More than 20,000 ILO interfaces on display as well

In addition to exposed DCIM instances, the security researcher and ISC manager Jan Kopriva found over 20,000 servers with exposed ILO management interfaces.

HPE Integrated Lights-Out (iLO) management interfaces are used to provide low-level remote access to a server, allowing administrators to remotely power off, power on, restart, and manage servers as needed. they were physically in front of them.

However, if not properly secured, hackers will now have full access to servers at a pre-boot level, allowing them to modify the operating system or even hardware settings.

Like DCIM interfaces, it is critical to properly secure ILO interfaces and not expose them directly to the Internet to protect them from remote exploit vulnerabilities and password brute force attacks.

Share.

Comments are closed.