Data centers are an appealing target for cybercriminals. Even though they may be more difficult to compromise than the home computer of a kid playing Fortnite or the laptop of a sales representative connecting to a random wireless network, they can bring very large rewards: databases with millions of records containing financial and personal information, substantial computational resources that can be used to mine cryptocurrencies, and access to key assets that can be held for ransom.

In this blog post, we analyze the main pathways that cybercriminals leverage to gain access to data centers, how they take advantage of that access, and what security administrators can do to reduce and manage the associated risks.

Getting into the Data Center

The obvious first goal of an attacker is to gain access to the targeted data center. This can be achieved in several ways — including social engineering [1], physical access [2], and occasionally by deer [3]— but anecdotal evidence suggests that the two main avenues are remote exploitation (also known as remote-to-local attacks [4]), and stolen credentials [5].

Remote-to-local Attacks

In a remote-to-local attack, an attacker targets a remotely accessible service provided by one of the workloads running in the data center and delivers an exploit that results in the execution of code within the workload’s environment. This initial code can be as simple as a shell command delivered by means of a command injection vulnerability, or it may be a sophisticated memory corruption attack that overwrites the stack of a process, triggering a chain of gadgets that results in the execution of code determined by the attacker.

Regardless of the technique used to perform the attack, the net result is a foothold within the data center. This initial step is often followed by escalation attacks to gain additional privileges, the discovery of internal assets to extend the set of targeted resources, and lateral movement to expand and consolidate control over the network.

Remote-to-local attacks can be mitigated using protection mechanisms, such as Web Application Firewalls (WAFs) and IDS/IPS systems, that monitor incoming traffic for signs of abuse and exploitation. While these tools are a must-have for any data center that includes services accessible from the Internet, they are often not enough.

Security in-depth suggests that these approaches should be complemented by security audits of both the code of the services as well as the configurations of deployed systems (to prevent vulnerabilities in the first place) and by mechanisms to detect lateral movement and internal privilege escalation. These tools are very similar to what would be used to protect the data center in case of compromised credentials and are described in greater detail in the next section.

Compromised Credentials

While remote-to-local attacks exploit software, compromised credential attacks exploit people.

In this case, an attacker obtains credentials to log into the data center by compromising the work environment of a user with access or by using a phishing attack to lure the user into revealing that information.

A classic example is the 2013 Target breach, which resulted in the company’s CEO stepping down [6]. In this case, the credentials of an external contractor were phished and then used to gain access to Target’s internal network. While this is one of the most egregious cases, it is far from being the only one (see, for example, the Sony breach of 2014 [7] or the Capital One breach of 2019 [8]).

The use of two-factor authentication (2FA) can severely limit the success of these attacks, but sometimes the trade-off between convenience and security swings in favor of the former, with disastrous results. In addition, 2FA is sometimes not well understood. For example, using SMS as 2FA might not be as secure as one might think [9]. This is borne out by SIM-swapping attacks, in which criminals use social engineering techniques to associate a new SIM to a specific phone number, allowing them to hijack SMS messages [10].

Detecting unwanted data center access based on compromised credentials can be extremely hard, as this attack is fundamentally indistinguishable from an “insider threat” attack in which legitimate users start abusing their access for personal gain. In this case, the goal is to detect anomalous behavior that is so different from an established profile that it is likely associated with malicious intent (or at least can be brought to the attention of a human analyst for further analysis).

One of the approaches to detect anomalous behavior is to use Network Traffic Analytics (NTA). This is a series of techniques, mostly based on statistics and machine learning, that profile the behavior of a network in order to identify events that deviate from the baseline.

For example, NTA systems might detect that a host is performing an unusually large upload of traffic outside the data center, which, in turn, could be evidence of a data exfiltration attempt. As another example, NTA systems might detect Remote Desktop Protocol (RDP) sessions between hosts that never had such sessions before, which could be evidence of an attempt to move laterally. Fortunately, NTA is a good fit for data centers, as their internal traffic patterns are usually more regular and predictable than the ones observed where there is intense human activity — an administration office or university network, for instance.

The predictability of data center network traffic is also a perfect match for compartmentalization approaches such as micro-segmentation. These techniques allow an administrator to implement “least privilege” network access policies in which only the hosts that really need to interact are allowed to do so. This is a dramatic improvement with respect to the traditional “hard perimeter-soft inside” approach. Using micro-segmentation enables organizations to contain lateral movement and prevent the disastrous cascade effects of an initial breach.

Monetizing a Breach

The goal of most cybercriminals is to make money, and access to a data center is a prerequisite for profit-making activities. So how do attackers turn their hard-earned access to the data center into easy money?

Malicious actors have been very creative in finding ways to monetize their attacks— from using stolen personal information to open credit cards, to accessing a payroll system to add “ghost workers” who may go undetected for months. They also may also use employee information for social engineering attacks to carry out “payroll diversion” [11].

In the following, we look at three of the most common data center attacks that can be used to turn remote access into actual money.

Data Theft

Data breaches can result in a damaged reputation and other financial costs that only come to light after a data breach becomes public. A recent study showed that the stock of affected companies fell by 3.5 percent on average after a breach [12]. In addition, the resulting clean-up can be expensive, and, in the case of small businesses, it may actually result in the demise of the business. A report from the U.S. Securities and Exchange Commission revealed that half of the small businesses that experienced a breach went out of business in the following six months [13].

In most cases, data theft is catastrophic. by the time the attack is detected, the data has already been leaked and nothing can be done to stop or revert the loss. In some cases, security mechanisms can prevent most of the data from being leaked, but sadly these occurrences are the exception.

Data theft can be prevented using a combination of mechanisms and policies. First, an organization should identify sensitive data and protect it accordingly. Recent regulations, such as GDPR, have brought new attention to how data is collected, stored, and protected. Next, employees need to be trained in how to securely handle data. And, finally, there need to be mechanisms in place for the detection of an attack.

For example, NTA techniques can identify anomalous flows that are used to collect, stage, and exfiltrate data outside the data center. The anomaly may be associated with the amount of data being transferred (especially if a host has never contacted external hosts before) or the identification/context of the particular external host receiving the data (for example, if the host is in a network with a bad reputation or in a geographic area where the organization does not have a presence).

Ransomware

The effects of a ransomware attack range from being a nuisance (having to restore data from backups and cleaning up the network) to being devastating (having to pay large sums of money to regain access to key assets). In any case, these attacks have a cost and have become the scourge of data centers. The basic profile of these attacks has become so popular that even non-technical persons know how they work: a network is compromised, sensitive files are encrypted, and a ransom note is presented to the victim, asking for cryptocurrency in exchange for a decryption key.

Unfortunately, even if the basic ransomware strategy is well-known, large-scale ransomware attacks against data centers have some distinct characteristics. First, data center ransomware attacks are targeted, not opportunistic. While careless Internet users may click on an email attachment sent to millions of other users and, as a result, have their kids’ pictures encrypted, attacks on data centers are usually carefully planned. To achieve maximum effect, cybercriminals first make sure that the system has been fully compromised so that when the encryption of files starts, the whole network is affected at the same time, making the incident response more difficult.

For example, the Snake ransomware family has been used for extremely targeted attacks that employed compromised Windows Domain Controllers to perform a synchronized activation of the encryption operation across the whole data center (for details, see our Threat Intelligence Report [14]).

Data-center ransomware has recently expanded to include in its targets the images of hosts used to spin workloads in virtualized environments. We have recently analyzed the Defray777 ransomware, which was used to encrypt host images on ESXi servers (for details see our report “Deconstructing Defray777 Ransomware” [15].) Similar traits are present in the DarkSide ransomware that crippled Colonial Pipeline’s networks, causing a nationwide gasoline shortage [16]. This is a new and worrisome development that shows that attackers are looking for the most valuable assets in a data center to be able to inflict the maximum amount of damage to the target.

In addition, ransomware attacks against data centers are often combined with data exfiltration. The data collected is used as leverage to push the victim into paying the ransom: if the victim does not comply, the leaked information will be made public on the Internet [17].

The solution to the ransomware problem is, once again, a combination of approaches, mechanisms, and policies. Having an Endpoint Detection and Response (EDR) solution that monitors the actions performed by processes on data center hosts is a key component of a defense-in-depth strategy. However, this must be complemented by an effective Network Detection and Response (NDR) system that is able to recognize network-based evidence of attacks and ideally block the malware before it can take hold of the target hosts.

Of course, this combination, often referred to as an XDR system (composed of an EDR and an NDR working in sync), must be backed up by a solid data recovery process, which is the last resort when the ransom note appears on the screen.

Cryptojacking

Cybercriminals have not been indifferent to the frenzy surrounding cryptocurrencies. The advantage of targeting cryptocurrencies is that these malicious activities are immediately and directly turned into (cyber) cash without the need to perform cumbersome scams using stolen information, as is the case with the theft of personal data, for example.

Cybercriminals primarily use two approaches: Focus on including wallet-stealing functionality in malware, sometimes posing as cryptocurrency-based applications [18], or monetize stolen CPU cycles to successfully mine cryptocurrencies, in an attack called cryptojacking.

The first and most notable attack of this kind was against Tesla’s public cloud [19], in which a Kubernetes deployment was hijacked and dedicated to mining the currency while the computational costs were paid by the targeted company. This notorious event was just the first in a series of incidents that targeted the CPU cycles of the data center.

A cryptojacking attack might result in higher energy bills, slowed-down operations, or higher cloud computing bills. Unfortunately, these attacks can be tricky to detect because they do not interrupt the operations of the data center (as ransomware does) or raise alarms because of unauthorized or anomalous access to sensitive data (as in the case of a data breach). The best way to detect cryptojacking is to use NTA to identify internal hosts that are communicating the results of the mining work to the outside since such communication is a necessary condition to monetize the attack. In addition, EDR solutions might identify abnormal CPU usage patterns that are directly associated with the calculations associated with blockchain mining. Once again, the concerted monitoring of data center infrastructure using both host-based and network-based detection techniques is what can keep these attacks at bay.

Conclusions

Make no mistake, data centers are a target. Fortunately, there are a number of technologies and security processes that can limit the impact of successful remote-to-local attacks or the abuse of stolen credentials. However, without design, planning, and, of course, funding, data centers can be left open to attacks that lead to loss of service, loss of data, and loss of customers. Using a combination of defense-in-depth (IDS/IPS alongside internal monitoring using EDR, Network Traffic Analytics, and Network Sandboxing), least privilege (compartmentalization and micro-segmentation), and secure defaults (Single Sign-On System with 2-factor authentication) can dramatically reduce the risks and costs of a security breach.

Contributors

Giovanni Vigna

Bibliography

[1] Y. Sverdlik, “This Hacker Can Talk His Way inside a Data Center,” DataCenter Knowledge, 6 Apr 2017. [Online]. Available: https://www.datacenterknowledge.com/archives/2017/04/06/this-hacker-can-talk-his-way-inside-a-data-center.
[2] S. D. Scalet, “19 ways to build physical security into your data center,” CSOonline, 31 March 2015. [Online]. Available: https://www.csoonline.com/article/2112402/physical-security-19-ways-to-build-physical-security-into-a-data-center.html.
[3] S. Moss, “A deer broke into a data center,” 28 January 2019. [Online]. Available: https://www.datacenterdynamics.com/en/news/deer-broke-data-center/.
[4] B. Krebs, “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software,” 5 March 2021. [Online]. Available: https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/.
[5] S. V. Overson, “2021 Credential Stuffing Report,” F5, 9 February 2021. [Online]. Available: https://www.f5.com/labs/articles/threat-intelligence/2021-credential-stuffing-report.
[6] B. Krebs, “The Target Breach, By the Numbers,” 6 May 2014. [Online]. Available: https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/.
[7] E. V. a. T. B. Lee, “The 2014 Sony hacks, explained,” 3 June 2015. [Online]. Available: https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea.
[8] B. Krebs, “What We Can Learn from the Capital One Hack,” 2 August 2019. [Online]. Available: https://krebsonsecurity.com/tag/capital-one-breach/.
[9] Z. DOffman, “Why You Should Stop Using SMS Security Codes—Even On Apple iMessage,” 11 October 2020. [Online]. Available: https://www.forbes.com/sites/zakdoffman/2020/10/11/apple-iphone-imessage-and-android-messages-sms-passcode-security-update/.
[10] T. Sweeney, “SIM Swapping Attacks: What They Are & How to Stop Them,” 23 December 2019. [Online]. Available: https://www.darkreading.com/theedge/sim-swapping-attacks-what-they-are-and-how-to-stop-them/b/d-id/1336662.
[11] FBI, “Cybercriminals Utilize Social Engineering Techniques To Obtain Employee Credentials To Conduct Payroll Diversion,” 18 9 2018. [Online]. Available: https://www.ic3.gov/Media/Y2018/PSA180918.
[12] P. Bischoff, “How data breaches affect stock market share prices,” 9 February 2021. [Online]. Available: https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/.
[13] L. A. Aguilar, “The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses,” 19 October 2015. [Online]. Available: https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html.
[14] Threat Analysis Unit, “Threat Intelligence Report: Targeted Snake Ransomware,” 17 November 2020. [Online]. Available: https://blogs.vmware.com/networkvirtualization/2020/11/targeted-snake-ransomware-report.html/.
[15] Threat Analysis Unit, “Deconstructing Defray777 Ransomware,” 11 March 2021. [Online]. Available: https://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/.
[16] J. K. K. G. A. M. A. R. B. M. J. W. Jordan Nuce, “Shining a Light on DARKSIDE Ransomware Operations,” FireEye, 11 May 2021. [Online]. Available: https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html.
[17] K. Mehrotra, “Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta,” 20 April 2021. [Online]. Available: https://www.bloomberg.com/news/articles/2021-04-21/apple-targeted-in-50-million-ransomware-hack-of-supplier-quanta.
[18] A. Mechtinger, “Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets,” 5 January 2021. [Online]. Available: https://www.intezer.com/blog/research/operation-ElectroRAT-attacker-creates-fake-companies-to-drain-your-crypto-wallets/.
[19] L. H. Newman, “Hack Brief: Hackers Enlisted Tesla’s Public Cloud to Mine Cryptocurrency,” 28 February 2018. [Online]. Available: https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/.