Researchers at Resecurity, a cybersecurity company, have warned data centres about a malicious campaign targeting them in September 2021. They revealed this when they noticed that blackhats had managed to hijack the records of 2,000 data centre customers, which they published on an underground forum called Breached.to.
The stolen data includes login credentials, emails, mobile numbers and ID card references, which are believed to be used for customer verification mechanisms. The threat actors compromised one of the internal email accounts used to register visitors, which they used to carry out several malicious tasks.
Resecurity tracked their findings from 2021 to the present day, predicting that the perpetrators could be operating from Asia, while revealing that two major data centres in China and Singapore had been attacked. While they didn't name the companies affected, news hub Bloomberg revealed that Shanghai-based GDS Holdings and Singapore-based ST Telemedia were caught in the threat actors' web. Resecurity observed that the threat actors collected data on the customers of these data centre service providers, as well as the credentials of their employees.
It is believed that the perpetrators gained access through a vulnerable helpdesk or ticket management module that was integrated with other applications and systems, allowing them to perform a lateral movement. They extended their exploits to gain access to CCTV cameras with associated video stream identifiers, which they used to monitor data centre environments and credentials associated with data centre IT staff and customers.
According to Resecurity, the organisations whose data was affected include global financial institutions, biomedical research companies, technology vendors, cloud services, e-commerce sites, ISPs and content delivery network companies. Bloomberg reports that the stolen data includes credentials from companies such as Alibaba, Amazon, Apple, BMW, Goldman, Sachs, Huawei Technologies, Microsoft and Walmart. Most of the stolen data was offered for sale on an underground community on the dark web called "Ramp", a known hub for ransomware groups and initial access brokers, and on some Telegram groups.
Information about the breach was shared with the affected companies, as most of them advised their customers to change their passwords to limit the threat.