Hackers stole thousands of login credentials from major tech and Fortune 500 companies after breaching two large data centers in Asia.
Cyber security firm Resecurity discovered the breach in September 2021, but the incident only recently became public knowledge when a threat actor leaked the stolen login credentials on the hacking forum.
Additionally, hackers used the stolen credentials to probe portals, users, and services and access CCTV cameras.
Hackers stole over 3,000 login credentials from breached Asian data centers
According to Resecurity, Hackers breached two of the largest data center operators in Asia and leaked login credentials of high-profile companies, including tech firms Amazon, Apple, Huawei, Microsoft, and Samsung.
Other high-profile businesses impacted by the cyber attacks include Alibaba Group Holdings Limited, Goldman Sachs Group, BMW AG, Walmart, and a Chinese foreign exchange platform.
Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centers (STT GDC) operated the breached data centers.
In one incident, threat actors reportedly gained access via a helpdesk or ticket management module integrated with other systems allowing lateral movement.
The attacker extracted a list of CCTV cameras and the login credentials of IT staff and customers. They used the stolen login credentials to search enterprise customers’ representatives who manage the data centers and view purchased services and equipment deployed. They also searched for Remote Hands Services (RHS), such as iDRAC, OpenBMC, and FreeIPMI, which allow customers to manage their servers remotely.
The attackers collected roughly 2,000 records, presumably login credentials that included email addresses, cell phone numbers, and ID cards, likely used for client verification. Additionally, they breached an internal email account used for registering visitors, allowing them to enroll users for further cyber espionage and spying on data center operators.
The incident was reported to the Chinese computer emergency response team CNCERT/CC on January 24, 2023, and impacted customers were forced to change their login credentials.
Similarly, threat actors reportedly stole 1,210 customer records from the Singaporean data center STT GDC during another attack, which also occurred via a vulnerable helpdesk, customer service portal, or ticket management system. They stole passwords for customer support websites and used the stolen data center logins to probe the system for further exploitation. Additionally, they attempted to gain access to ten organizations, including some in India.
However, the security research firm could not confirm if the threat actors succeeded in breaching their targets. STT GDC claimed that those hacking attempts were unsuccessful.
Resecurity blamed this incident on the possibility that some customers failed to reset their passwords.
“It is not clear if such access was possible simply because multiple customers didn’t change their passwords after the incident in 2021, lack of awareness or response, or the episode may have been interpreted as ‘new’,” the researchers wrote.
Resecurity reported the incident to Singapore’s CSA SingCERT and shared the information with U.S. federal law enforcement authorities because some Fortune 500 companies likely used the breached data centers.
Tech firms’ login credentials published on hacking forums
The threat actor published the stolen data for sale on the dark web site RAMP on January 28, 2023.
Resecurity suggested that the attacker intended to monetize the data before it lost value after the password reset, or a nation-state actor intended to cover their tracks by presenting themselves as a financially-motivated attacker.
Similarly, a threat actor identified as “Minimalman” published the treasure trove on the hacking forum BreachedForums, the successor of RaidForums that was seized by law enforcement authorities.
Resecurity could not determine the number of threat actors who downloaded the leaked credentials, with some data still circulating on Telegram.
According to Bloomberg, hackers had access to the allegedly still-working stolen credentials for over a year before auctioning them on hacking forums for $175,000 and later dumping them for free.
STT GDC disputes hacking claims, Bloomberg holds ground
GDS and STT GDC claim that the breach did not result in data loss or compromise of their portals.
“Our relevant teams have conducted detailed reviews of these notifications, and our investigations to date indicate that there has been no data loss or impact to any of these customer service portals,” STT GDC, which owns a 40% stake in GDS, said in a heavily worded statement.
STT GDC also refuted claims that a breach on its customer service portal could impact its data centers, adding that the support systems did not contain personal or critical business data.
However, Bloomberg quoted unnamed sources from four impacted US companies claiming that breaching customer support systems posed an “unusual danger” because such systems determine who can access IT infrastructure.
Nevertheless, Microsoft told Bloomberg that it regularly monitors for threats and takes appropriate actions to protect its customers, while Goldman Sachs said it had additional controls to prevent such breaches.
Apple, Alibaba, Huawei, and Walmart did not comment, while Amazon Web Services said the incident had no impact on its infrastructure.
Quoting Resecurity, Bloomberg says hackers could use leaked credentials to impersonate authorized users on customers’ websites. Additionally, hackers could use leaked emails to target employees in highly-targeted phishing attacks. Leaked credentials could also allow hackers to compromise companies’ networks, access data, and attack downstream customers.
