There are tens of thousands of publicly-accessible data center infrastructure management (DCIM) applications left exposed on the Internet, many with default passwords, warns new cybersecurity data.
New research from US cybersecurity firm Cyble this month warned that it was able to find DCIM, heating ventilation and cooling systems (HVAC), Uninterruptible power supply (UPS) systems, server rack monitoring solutions/Power Distribution Unit (PDU), and transfer switches online, many of which it could easily access.
It warned that threat actors could monitor and manipulate systems, potentially resulting in critical failures and outages.
“While researching the scope of vulnerabilities exploitable to damage data centers, Cyble Research Labs found multiple DCIM software, Intelligent monitoring devices, thermal cooling management control systems, and rack power monitors vulnerable to cyberattacks,” the company said, adding that it found that more than 20,000 public-facing instances and products of various vendors dealing with data centers and their operations, many using default passwords.
The company found accessible instances of Sunbird’s dcTrack, Liebert's CRV -iCOM, as well as APC by Schneider, Vertiv, and Device42 software.
“Cyble researchers were able to find several web instances of Liebert CRV iCOM that are still using the default passwords to secure these critical assets of the data center,” the company said. “As a result, hackers and other malicious threat groups can quickly access cooling units of the data center and overheat the data units.”
In its research, Cyble was able to manipulate the load, voltage, and other transfer switch settings; control the UPS and delete logs; alter the floor & rack planning; reset the applications and software; remove existing backups and upload malicious backup files; retrieve and alter user credentials. Researchers were also able to uncover the rack and cabinet details and other configurations, and monitor IP addresses.
The company recommends segmenting networks, regular patching, constant assessment & monitoring of public-facing systems, strong access controls, and password management.
Bleeping Computer notes that as well as this study, security researcher and ISC Handler Jan Kopriva found over 20,000 servers with exposed ILO management interfaces.
HPE Integrated Lights-Out (iLO) management interfaces are used to provide remote low-level access to a server, allowing administrators to remotely power off, power on, reboot, and manage servers as if they were physically in front of them.
“If remote attackers were able to get access to an iLO, they would basically have full control over the target server,” Kopriva noted.