Cyble-DCIM-Tools-Under-Cyberattacks

Data Centers facing The risk of cyberattacks

Understanding Data Center Infrastructure Management (DCIM)

Data Center Infrastructure Management (DCIM) tools and software are used to visualize, manage and control the core information technology components within the data center like routers, switches, servers as well as the facility infrastructure components, such as heating ventilation and cooling systems (HVAC), Uninterruptible power supply (UPS) systems, server rack monitoring solutions also known as Power Distribution Unit (PDU), transfer switches, sensors, etc.

Figure (1) Source: blog.se.com

With the help of DCIM, the administrators get a complete view of the data center’s work. They can further collect, store, and analyze network, power, and cooling data in real-time

Continuous monitoring of trends and reports being collected from the data center helps administrators react before any failure impacts users and services, significantly increasing uptime. As a result, the management between IT and facility infrastructure components becomes more efficient. DCIM solutions also help at large sites with fewer employees as more informed decisions can be taken.

Globally data centers are becoming faster, smarter, and highly scalable but this development comes at a price as with great power comes significant responsibilities and greater risks of cyberattacks.

As data centers work with the collaboration of multiple technologies and software’s vulnerabilities and loopholes can be easily found by malicious hackers. Moreover, data centers are rapidly upgrading. Hence hackers are exploring new vectors to bypass the security parameters. The motive behind attacks on data centers may vary upon the hacker sitting behind the attack. For example:

  • Hacktivists can launch a cyberattack on a specific data center site’s heating ventilation cooling systems (HVAC) in retaliation towards the organization or a party connected to the data center.
  • Ransomware groups can lock administrators out of the DCIM application and demand ransomware amounts in return for data access.
  • State-sponsored hackers might disrupt the power supply of critical components of the data center that can cause a complete shutdown of plant operations, resulting in chaos among the data center stakeholders.
  • Hackers can also steal the sensitive details of the data center and its components and sell them to bidders at dark web markets and forums.

Investigation Outcomes

While researching the scope of vulnerabilities exploitable to damage data centers, Cyble Research Labs found multiple DCIM software, Intelligent monitoring devices, thermal cooling management control systems, and rack power monitors vulnerable to cyberattacks. Furthermore, the Labs scanners and google dorks investigation found that globally 20000+ instances and products of various vendors dealing with data centers and their operations are public-facing. Hence, it is highly likely to experience increasing cyber threats towards data centers worldwide. Many of these instances secured with default factory password details are discussed below.

Key Findings

  • Data Center Infrastructure Management Applications
Figure (2) screenshot of admin dashboard of Sunbird DCIM

Figure 2 shows the admin dashboard access found of Sunbird dcTrack‘s data-center infrastructure management software. A malicious hacker having access to the admin console has access to everything the dashboard manages, like assets, connectivity, power, reports, settings, etc.

Figure (3) screenshot of temperature & humidity settings at the data center

Figure 3 represents the real-time temperature & humidity of the rack installed at the center, which can be manipulated through the admin dashboard. This action can cause a severe impact on the servers installed in the rack as they will overheat and damage.

Figure (4) represents the floor & rack planning details

Figure 4 shows that a malicious hacker with administrator rights can alter the floor & rack planning, resulting in false analysis and hindering the data center planning operations. The efficiency of the data center can be significantly affected by a minor change in these settings.

Figure (5) screenshot of the rack details

Researchers were also able to uncover the rack and cabinet details and other configurations, as shown in Figure 5. A hacker having details of these numerous sensitive components can plan his next attack accordingly.

Figure (6) User Creds settings

A hacker having access to the dcTrack dashboard can reset the applications and software. Also, hackers can compromise the complete data center site by uploading malicious backup files, removing current backups, and disrupting the current backup time interval. Additionally, user credentials can be altered and retrieved from the dashboard, as shown in Figure 6.

Figure (7) Infrastructure settings from the dashboard

Cyble Researchers also found public-facing Device42 data-center infrastructure management software running on default admin passwords. These findings are critical as a hacker having access to the DCIM software has multiple attack options on the data center. Device42 DCIM provides agentless and automatic discovery of all your IT assets, including physical, virtual, and cloud components. All discovered are storage and network switching, bare metal servers, chassis and blades, hypervisors, IP subnets, and cloud services

Device42 DCIM has lots of benefits for the administrator, like making management in the data center faster, easier, accurately, managing & analyzing data center operations, increasing the visibility for the administrator, and resolving technical issues by raising tickets to become more manageable. These factors help plan the data center equipment, process, people, or technology budget. But if these dashboards are not secured, hackers can quickly gain sensitive information.

If a malicious attacker gets access to the administrator dashboard, they can monitor IPs from the Device42 DCIM dashboard.

The dashboard serves to collect database details. This option can be considered a goldmine for hackers as the data retrieved from these options can be used in many ways, as shown in Figure 8.

Figure (8) Database details
  • Data Center cooling systems.

The Liebert CRV -iCOM is a precision-data center cooling solution providing temperature and humidity control. It integrates within a row of data center racks, providing cooling close to the heat load. As a result, Liebert CRV iCOM is ideal for data centers where heat density increases without installing a raised floor or a higher roof.

Cyble researchers were able to find several web instances of Liebert CRV iCOM that are still using the default passwords to secure these critical assets of the data center, as shown in Figure 10. As a result, hackers and other malicious threat groups can quickly access cooling units of the data center and overheat the data units.

 As cyber espionage campaigns are increasing all over the globe, having these unprotected web consoles over the surface net increases the risk of cyberattack exponentially.

                                                                              Figure (9) Dashboard for Liebert CRV iCOM

A hacker can get access to logs and events, which can help them understand the site operations better. As shown in Figure 11, malicious threat actors having dashboard access may change values of cooling units like temperature, humidity, cooling, sensor calculations, fan speed, sensors functions, fluid temperature threshold, etc. System information can also be stolen from such exposed instances.

Figure (10) Temperature settings

Hackers can completely turn off the iCOM system of a data center which may start the chain of incidents that can lead the data center to complete shutdown.

  • Server Rack Monitoring systems

In addition to building and room security, monitoring server racks have grown critical as data storage, and processing equipment are installed in racks. A change in external parameters could cause severe damage. For example, an increase in temperature might cause the chips inside to melt and bring the entire system to a halt. Furthermore, the chips’ processing power slows down and loses efficiency if they run too cold.

Cyble researchers were able to find multiple exposed web interfaces particularly used for rack monitoring. In addition, the researchers found these interfaces were using factory default passwords, making it easy for a hacker to gain insights into a data center.

As there are multiple sensors, power units, networking devices, CCTV cameras connected to these portals, there is a lot of scope for a hacker to gain sensitive information about the components within the data center and their working, as shown in Figures 11-14.

Figure (11) Dashboard of Rack Monitor
Figure (12) Screenshot of the Alerts details
Figure (13) Screenshot of POD details
Figure (14) Screenshot of the sensor history
  • Communication Modules

Within data centers, the Communications Module connects networks and environmental sensors. In addition, devices powered by a Rack Power Distribution Unit can be remotely controlled and monitored using the communication module web interfaces, playing a critical role within the data center.

Surprisingly sensitive information retrieved from one of the instances shows the vulnerable organization component in use, which could be exploited further by CVE-2018-10077, CVE-2018-10078, CVE-2018-10079. as shown in Figure 15.

Figure (15) Screenshot of communication module dashboard

The communication module also allows changing the parameters set by the operator for the smooth working of a data center (Figures 16-17). A malicious hacker having access to these options may cause severe damage to the system.

Figure (16) Screenshot of settings
Figure (17) Screenshot of components connected and status

The dashboard provides administrator rights after logging in with the default creds. Threat Actors (TA) can update malicious firmware files to gain knowledge of other users and groups. Doing so leaves not complete data center environment at high risk, as shown in Figures 18-19.

Figure (18) Firmware upload option
Figure (19) User & Group details
  • Uninterruptible Power Supply Systems

Smart Uninterruptible Power Supply compensates primary power source failure to critical infrastructures in small to medium-sized data centers. Whether you have a generator to keep your infrastructure running during prolonged power outages, a UPS unit is necessary to guarantee that no power interruptions occur. In addition, a UPS system is essential for reducing the stress that a hard shutdown places on your electronic equipment.

Figure (20) Web console of Smart-UPS

Figure 20 represents the admin dashboard to one of the Smart-UPS instances found over the internet, still running factory default passwords.

Figure (21) UPS Settings available  
 Figure (22) UPS Controls available

Having access to these sensitive settings can harm the critical assets of the data center dependent on Smart-UPS. It also increases battery life by adjusting the charging voltage based on the battery’s temperature shown in Figure 23.

Figure (23) Temperature and humidity control setting available

The malicious hacker gaining control over these consoles can Turn OFF, Reboot, Put UPS to sleep, etc. In addition, threat Actors (TA) can also delete the logs and traces from the console, which is a further danger to the critical infrastructure, as shown in Figure 24.             

Figure (24) Event Logs Settings available
  • Automatic Transfer Switches

To effectively limit the threats posed by unplanned downtime, data center operators must deploy robust and redundant power supplies capable of maintaining critical operations in the case of an unforeseen power loss or failure.

Automatic Transfer Switches are used in data centers to allow the power load to redirect to an alternate supply in the case of an electrical failure in the primary power supply. Interlock-based or automated transfer switches are available.

Figure (25) Home page of Transfer switch

Cybercriminals can manipulate the load, voltage, and other transfer switch settings, as shown in Figures 26-28.

Figure (26) Voltage Parameters
Figure (27) Load Management settings
Figure (28) Control Actions

The Automatic Transfer switch controller is self-acting depending on the parameters set by the site operator and manages both initiation and operation. Initiation starts when the automatic controller detects unavailability or loss of source power, followed by switching mechanism operation.

Threat Actors having control of these portals can manipulate the site operators’ settings which can cause severe damage to the data center where the transfer switch is installed.

Impact

  • Data Centers are the most important critical infrastructure for the nation and the organization using the data center facilities. A successful attack on this vital sector can lead to the loss of a considerable amount of money.
  • The data stored- and processed in the data centers can be corrupted and destroyed, which can cause a severe impact on the organization’s brand reputation.
  • Hackers can even delete the traces of their attack by deleting the logs from the web consoles found above.
  • Data centers are critical infrastructures with high security, yet the use of multiple vendors and products increases the scope of attack for Threat Actors (TA).
  • Many sensitive details like sensors information, network details, user details, firmware details, backup files, logs, etc., can be used by malicious groups to plan a more threatening and strategic attack towards the complete data center environment.
  • A data center of the financial sector processes a lot of critical data. A cyber-attack on the data center’s cooling system can result in the loss of this data or even stop the time-sensitive processes connected with the data processed from the data centers.
  • A cyber-attack on data centers can cause chaos among the parties concerned, as confidential data might be stored at that center.
  • Suppose a hacker manipulates the controlled parameters of power systems present in the data center. In that case, the maintenance or repair costs can be huge as there are many devices dependent on the smooth functioning of power systems.
  • Hackers can sell sensitive information like user credentials, data center blueprints, and component details on dark web markets and forums to bidders of an enemy nation.

Recommendations

  • Apply risk management framework to the critical infrastructure is shown in Figure 29.
Figure (29) RMF framework from NIST
  • Cyber security awareness programs are a must for employers and management to understand new risks and threats emerging in the cyber world.
  • Multiple vendors report advisories at regular intervals. These security vulnerabilities must be patched quickly before Threat Actors (TA) exploit them.
  • Public-facing web instances are a significant threat for the critical sectors which go unaddressed by the security teams. Doing so puts the complete environment at risk of cyber-attack. Checking assets exposure is very important in these sectors.
  • Implementation of proper access control on all the connected assets should be considered the first step towards ensuring security.
  • Proper network segmentation is necessary for safeguarding the data centers from network-based attacks.
  • Regular audits in the critical sector like data centers can help prevent downtime to a significant level.
  • A strong password policy within the organization is important as data leaks are happening daily. If an employee working in a data center uses the same or similar passwords to access the corporate network, this can put the complete data center in danger.
  • Vulnerability assessment and penetration testing exercise will greatly help any critical to understand the flaws in the current system.
  • Including threat intelligence with the current security, a framework can boost security to a large extent.

MITRE ATT&CK® Techniques

TAG IDTACTICTECHNIQUE
T0819Initial AccessExploit Public-Facing Application
T0883Initial AccessInternet Accessible Device
T0823ExecutionGraphical User Interface
T0859PersistenceValid Accounts
T0888DiscoveryRemote System Information Discovery
T0812Lateral MovementDefault Credentials
T0811CollectionData from Information Repositories
T0852CollectionScreen Capture
T0878Alarm SuppressionInhibit Response Function
T0816Inhibit Response FunctionDevice Restart/Shutdown
T0838Inhibit Response FunctionModify Alarm Settings
T0879ImpactDamage to Property
T0826ImpactLoss of Availability
T0828ImpactLoss of Productivity and Revenue
T0837ImpactLoss of Protection
T0882ImpactTheft of Operational Information

Conclusion

Data centers’ security should always perceive in a holistic view. Organizations spend billions of dollars to ensure the data centers do not face downtime and security breaches. Yet, there might be many several security loopholes that adversaries could exploit.

Sensors, CCTV, cooling systems, power units, rack monitors, and data center infrastructure monitoring applications security are supposed to be updated. In addition, logs generated from these components should also be analyzed to detect intrusions.

Cyble Researchers were able to find several instances exposed over the internet while investigating the scope of attacks on data centers all over the globe. Default passwords protected these data centers. Some of the products found were outdated, allowing hackers or malicious groups to exploit the data center’s systems further.

Figure(30) Vendor’s analysis

Cyble Research Labs’ investigation found that more than 20,000 web instances of various products are exposed over the internet, as shown in Figure 30.

Disclaimer

  • All the vulnerabilities found during this research will be reported to the respective countries’ CERTs.
  • No parameter was changed or reconfigured during the research.

Scroll to Top