Home| Features| About| Customer Support| Request Demo| Our Analysts| Login

Search

Gallery inside!
Featured
image
Technology

Some Of The World's Largest Companies Have Their Data Center Logins Sold By Hackers

February 21, 2023
minute read

Earlier this month, hackers posted the login credentials on the dark web for sale for $175,000 after having accessed them for more than a year.

A security research firm reported that hackers gained access to data center credentials for some of the world's biggest companies in Asia, potentially allowing them to spy or sabotage their operations.

It was previously reported that GDS Holdings Ltd., a Shanghai-based data center operator that provides cybersecurity services and investigates hacks, has cached emails and passwords for customer support websites. As well as ST Telemedia Global Data Centres in Singapore, Resecurity Inc., which provides cybersecurity services and investigates hackers, also provides cybersecurity services. GDS and STT GDC affected about 2,000 customers. According to Resecurity, which said the hacking group had penetrated its organization, at least five of them were compromised, including China's main foreign exchange and debt trading platform and four from India.

What the hackers did with the other logins, if anything, is unknown. According to the security company and hundreds of pages of documents reviewed by Trade Algo, the information included credentials in varying numbers for some of the largest corporations in the world, including Alibaba Group Holding Ltd., Amazon.com Inc., Apple Inc., BMW AG, Goldman Sachs Group Inc., Huawei Technologies Co., Microsoft Corp., and Walmart Inc.

GDS sent a statement in response to inquiries over Resecurity's findings, confirming that a customer assistance website was compromised in 2021. How the hackers got their hands on the STT GDC data is unclear. The business claimed there was no proof that the customer support portal had been compromised that year. The compromised credentials, according to both businesses, did not endanger the IT systems or data of their customers.

Resecurity and executives at four significant US-based companies that were impacted, on the other hand, claimed that the compromised credentials posed an unusual and serious risk, mainly because the customer-support websites manage who is permitted to physically access the IT equipment kept in the data centers. These executives, who requested anonymity because they lacked permission to speak publicly about the instances, learned about them through Trade Algo and confirmed the details with their security teams.

The size of the data loss documented by Resecurity demonstrates the increased risk that businesses face as a result of their reliance on outside parties to store data and IT equipment and assist in connecting their networks to international markets. Security experts claim that China, where businesses are required to collaborate with local data service providers, is where the problem is most acute.

"This is a disaster waiting to happen," said Michael Henry, former chief information officer for Digital Realty Trust Inc., one of the top US data center operators, when told about the occurrences by Trade Algo. (The incidents had no effect on Digital Realty Trust). According to Henry, the worst-case scenario for any data center operator is that intruders physically get access to clients' servers and install harmful software or extra hardware. "If they succeed in doing that, they might potentially disrupt business and communications on a huge scale."

According to GDS and STT GDC, their key services weren't affected and they had no evidence that something similar had occurred.

According to Resecurity and a screenshot of the posting seen by Trade Algo, the hackers had access to the login credentials for more than a year before offering them for sale on the dark web last month for $175,000. They claimed to be overwhelmed by the volume of them.

As the hackers stated in their post, "I used some targets.". They were unable to handle all the companies because there are over 2000 of them.

According to Resecurity, hackers may have been able to masquerade as authorized users on the customer service websites using the email addresses and passwords. It was discovered in September 2021 that hackers were using the data caches to gain access to GDS and STT GDC customer accounts as recently as January, when both operators forced their customers to reset their passwords, according to the security firm.

A hacker could still use the data even without valid passwords, which would enable them to create targeted phishing emails against those who have high levels of access to their company's networks.

Trade Algo contacted many of the affected companies, including Alibaba, Amazon, Huawei, and Walmart, but none responded. Messages seeking comment from Apple went unanswered.

The Microsoft spokesperson stated that, “We regularly monitor for threats that could impact Microsoft, and we act appropriately to protect Microsoft and our customers when such threats are identified.” Goldman Sachs said, “We have added additional controls to prevent this type of breach, so we are confident that our data is safe.”

There is a problem with BMW's systems, according to the automaker. In a company spokesperson's words, "BMW is urging GDS to improve the security of information related to its customer base and products." According to the spokesperson, “the issue has very limited impact on BMW's businesses."

GDS and STT GDC provide some of the largest "colocation" services in Asia. Renting out space in their data centers to clients who manage and install their own IT equipment is their business model, typically so they are closer to customers and Asia-based operations. Synergy Research Group Inc., which ranks colocation providers globally, says GDS ranks among the top three in China, the second largest market after the US. Sixth place goes to Singapore.

GDS and Singapore Technologies Telemedia Pte, which owns STT GDC, are also intertwined: a company filing shows that STT GDC purchased a 40% stake in GDS in 2014.

Gene Yoo, CEO of Resecurity, said the firm discovered the incidents in 2021 after an operative secretly infiltrated a Chinese hacking group that had attacked Taiwanese government targets.

According to Yoo and the documents, it soon notified GDS and STT GDC, as well as a small number of Resecurity clients that were affected.

Following discovery of the hacker accessing accounts, Resecurity alerted GDS and STT GDC again in January, and the security firm also notified Chinese and Singapore authorities.

Upon being notified of the security issues, both data center operators responded promptly and initiated internal investigations.

The Cyber Security Agency of Singapore told us it was aware of the incident and was assisting ST Telemedia. A message seeking comment from the National Computer Network Emergency Response Technical Team/Coordination Center of China, a non-governmental organization responsible for handling cyber emergencies, was not answered.

GDS acknowledged that a customer-support website was breached and said that it investigated and fixed a vulnerability in the site in 2021.

According to a business statement, the application that hackers targeted was restricted in scope and information to non-critical service operations like generating ticketing requests, planning physical delivery of equipment, and checking maintenance reports. "Requests sent through the application often need offline confirmation and follow-up. Given the simplicity of the program, there was no threat to our clients' IT operations as a result of the attack.

When STT GDC learnt of the breach in 2021, it claimed to have hired outside cybersecurity specialists. According to the corporation, the in question IT system is a ticketing system for customer support and "has no connectivity to other corporate systems or any essential data infrastructure."

In 2021, customer service portal credentials were not breached and were “partial and outdated” credentials for its customer ticketing applications, according to the company. Consequently, the underlying data no longer poses a security risk."

According to STT GDC's statement, there was no unauthorized access or loss of data.

Security professionals said the thefts indicate that attackers are looking for new ways to penetrate hard targets, regardless of how the hackers used the information.

According to Malcolm Harkins, a former chief security and privacy officer of Intel Corp., the physical protection of IT equipment in external data centers and the procedures for limiting access to it constitute risks that are frequently disregarded by corporate security departments. Any tampering with the hardware in a data center "may have disastrous effects," Harkins said.

According to the records examined by Trade Algo, the hackers stole the email addresses and passwords of over 3,000 individuals at GDS, including both its own staff members and those of its clients, and over 1,000 from STT GDC.

The records reveal that the hackers also got login information for GDS's network of more than 30,000 security cameras, the majority of which had straightforward passwords like "admin" or "admin12345." GDS did not respond to a query on the allegedly stolen passwords or login information for the camera network.

For different customers, there were a variety of login credentials for the customer service websites. For instance, the documents show that there were 201 accounts at Alibaba, 99 at Amazon, 32 at Microsoft, 16 at Baidu Inc., 15 at Bank of America Corp., 7 at Bank of China Ltd., 4 at Apple, and 3 at Goldman. The customer service portal account of a corporation can be accessed by hackers with just one working email address and password, according to Resecurity's Yoo.

According to Resecurity and the documents, these organizations were among those whose employees' login information was obtained: Bharti Airtel Ltd. in India, Bloomberg LP (the proprietor of Bloomberg News), ByteDance Ltd., Ford Motor Co., Globe Telecom Inc. in the Philippines, Mastercard Inc., Morgan Stanley, Paypal Holdings Inc., Porsche AG, SoftBank Corp., Telstra Group Ltd. in Australia, Tencent Holdings Ltd., Verizon Communications Inc., and Wells Fargo

"We do not believe that any data was compromised," said Baidu in a statement. Baidu takes great care to protect our customers' personal data. We will closely monitor situations like these and be on the lookout for any new threats to data security in any of our operations.

A SoftBank spokesman claimed a Chinese subsidiary stopped using GDS last year; a Porsche representative added, "In this specific scenario we have no evidence that there was any risk." The local Chinese company's representative claimed, "No customer information data leakage has been established, and there hasn't been any damage on its business or services."

While Mastercard stated, "While we continue to monitor this situation, we are not aware of any dangers to our business or impact to our transaction network or systems," a spokeswoman for Telstra stated, "We are not aware of any harm to the business following this breach."

A Tencent spokesperson said, "We do not know whether this breach will have any effect on the business.". At Tencent, we directly manage our servers inside data centers, while the operators of data centers do not have access to Tencent servers. The IT systems and servers of our organization remain safe and secure after our investigation. No unauthorized access has been detected."

It used GDS until December 2022 for backup IT infrastructure, according to a Wells Fargo spokesperson. Wells Fargo said GDS did not have access to its network, data, or systems.  Neither of the other companies responded to our request for comment.

The undercover operative of Resecurity's Yoo reportedly pressed hackers to demonstrate whether they still had access to accounts in January. Several screenshots showed the hackers logging into five companies' accounts and navigating to various pages in the GDS and STT GDC online portals, according to him. The screenshots were provided to Trade Algo by Resecurity.

It is believed that the hackers broke into a GDS account, which operated China's main foreign exchange and debt trading platform, according to screenshots and Resecurity. GDS is the central bank's foreign exchange trade system that plays an important role in the country's economy. Messages sent to the organization went unanswered.

The pictures reveal that the hackers gained access to accounts at STT GDC for the National Internet Exchange of India, a company that links internet service providers nationwide, as well as accounts for MyLink Services Pvt., Skymax Broadband Services Ltd., and Logix InfoSecurity Pvt.

The National Internet Exchange of India declined to comment more when contacted by Trade Algo and stated that it was unaware of the occurrence. Requests for reaction from the other Indian groups received none.

When questioned about the assertion that hackers were still using the stolen credentials to access accounts in January, a GDS representative responded, "Recently, we noticed many new attacks from hackers using the old account access information. To prevent these attacks, we have employed a number of technical techniques. We haven't discovered any new successful hacker intrusions to date, which is because of a weakness in our system.

"As we are aware, one single client did not reset one of their account passwords to this application, which belonged to an ex-employee of theirs," the GDS spokesperson continued.

This is the reason we recently made all users reset their passwords via force. We think this is a singular occurrence. It is not the consequence of cybercriminals bypassing our security measures.

"Our investigations to date suggest that there has been no data loss or disruption to any of these customer service portals," the business said. STT GDC claimed it received warning in January of more threats to customer service portals in "our India and Thailand areas."

According to Yoo, Resecurity discovered the hackers offering the databases for sale on a dark web forum in both English and Mandarin at the end of January, following GDS and STT GDC's change of customer passwords.

The post noted that "DBs include client information and can be exploited for phishing, cabinet access, order and equipment monitoring, and remote hands orders." Who can provide support for targeted phishing? ”

Tags:
Author
John Liu
Contributor
Eric Ng
Contributor
John Liu
Contributor
Valentyna Semerenko
Contributor
Editorial Board
Contributor
Bryan Curtis
Contributor
Adan Harris
Managing Editor
Cathy Hills
Associate Editor
Trending Posts
image
Featured
image
Gallery inside!
image
Featured
image
Gallery inside!

Subscribe to our newsletter!

As a leading independent research provider, TradeAlgo keeps you connected from anywhere.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore
Related posts.

image
Featured
image
Gallery inside!
Technology
image
Featured
image
Gallery inside!
Technology
image
Featured
image
Gallery inside!
Technology
image
Featured
image
Gallery inside!
Technology
image
Featured
image
Gallery inside!
Technology
image
Featured
image
Gallery inside!
Technology
TradeAlgo

Headquartered in New York. TradeAlgo delivers unparalleled access to market tools with over 50 billion events processed daily.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Menu
About
Technology
Contact
News
Leave a Review
Pages
Privacy Policy
Terms Of Service
Acceptable Use Policy
Legal Disclaimer
Form CAR