Data centres, and the wealth of information they contain, represent a tantalising prize for attackers. But unless the attacker gets lucky and finds an Internet-facing vulnerability, directly compromising a data centre takes a significant amount of effort and planning.
As a result, cyber-attacks that target data centres tend to be patient, mature operations that emphasise persistence and require flying below the radar of security teams. From our experience, here are the six most critical attack vectors and techniques that sophisticated cyber attackers use against data centres.
Co-opting administrative access
Administrators have unparalleled access to the data centre and as a result are natural targets for attackers. Administrative protocols can give attackers backdoor access into the data centre without the need to directly exploit an application vulnerability. And by using standard admin tools such as SSH, Telnet or RDP, attackers can easily blend in with normal admin traffic.
Closing the local authentication loophole
In addition to the standard paths utilised by administrators, many data centres rely on local authentication options, that can be used in an emergency, to access the hosts and workloads they need to manage. However, these local authentication options are not logged, and the same login credentials are often shared across hosts and workloads for the sake of simplicity. When attackers find the credentials by compromising an administrator, they can silently access the data centre without fear of their activity being logged.
The administrative hardware backdoor
Local authentication offers an example of a backdoor that administrators — and attackers — can use to gain access to a data centre. However, there are other examples that take the same approach and extend it deeper into the hardware.
While the data centre is synonymous with virtualisation, the virtualised environments and resources still need to run on physical hardware. Virtual disks are ultimately dependent on physical disks, and the physical disks run in physical servers. Physical servers likewise have their own management planes designed for lights-out and out-of-band management. The management planes have their own management protocols, power, processors, and memory, which allow admins to mount disks and re-image servers even when the main server is powered off.
These actions are often performed via protocols such as the Intelligent Platform Management Interface (IPMI). While many hardware vendors have their own branded versions of IPMI — such as Dell iDRAC or HPE Integrated Lights-Out (ILO) — they are all based on IPMI and perform the same functions.
IPMI and its related protocols have well-documented security weaknesses and are often slow to receive updates and fixes. Additionally, there is currently a worrying 92,400* hosts’ IPMI interfaces exposed to the internet. The combination of IPMI vulnerabilities and its immense power make it a major attack vector for bad actors that are trying to subvert the security of the data centre.
Advanced attackers aim low
Unfortunately, hardware problems in the data centre don’t end with IPMI. Advanced attackers, including nation-states, increasingly target physical servers, routers, switches, and even firewalls. At a fundamental level the attackers use rootkits that sit below the level of the operating system, making them extremely difficult to detect using traditional methods.
These techniques allow attackers to infect the very devices that are trusted and charged with protecting the network, and then use those devices to launch attacks deeper into the network.
Keeping an eye on data
The ultimate goal of most attacks is to steal data. Depending on their needs and skill level, attackers can use a variety of approaches to smuggle data out of the data centre. The most obvious approach involves moving data in bulk out of the data centre, either directly to the Internet or to an intermediate staging area in the campus network.
Subtle attackers may attempt to stay low-and-slow by patiently exfiltrating data at rates that are less likely to be noticed or arouse suspicion. Efforts can also be made to obscure data exfiltration in hidden tunnels within normally allowed traffic, such as HTTP, HTTPS or DNS traffic.
Blending physical and virtual context
Data centres are unique to their own organisations and vary based on applications and how users interact with them. The most common type of data centre today is the private enterprise data centre. Attacks against these data centres are typically extensions of attacks against the larger enterprise.
For example, attackers may have initially compromised an employee laptop via a phishing email or social engineering. Next, attackers typically look to establish persistence within the network by spreading from the initial victim to other hosts or devices. To control the ongoing attack, attackers will plant backdoors or hidden tunnels to communicate back and forth from inside the network. Over time, attackers will map out the internal network, identify valuable resources, and compromise devices and user credentials along the way.
The most coveted stolen asset for an attacker is administrator credentials because they ensure near autonomy inside the victim’s network. Administrator credentials are particularly essential for data centre attacks, since administrators are often the only individuals who can access data en masse.
The key point is that an attack is typically at a mature stage by the time it reaches a private data centre. The hidden command-and-control traffic, the reconnaissance, the lateral movement, the compromise of user and admin credentials are all prerequisites that lead up to the intrusion into the data centre.
Conclusion
While most data centre security has focused on protecting the virtualised layers of the data centre and micro segmentation, real-world attackers are increasingly subverting the physical infrastructure that the data centre depends on. It is imperative to have the ability to identify cyber attacks that target data centres. The use of advanced attacker detection models that expose hidden attacks against application, data and virtualisation layers in the data centre, as well as the underlying physical infrastructure, security teams will be able to address critical vulnerabilities at every layer of the virtualised data centre even when attackers use legitimate services and protocols for their illegitimate actions.
* https://ipmiscan.shadowserver.org/ [accessed 7th Feb 2020]
- ENDS -