How data centers need to rethink their vulnerability assessments [Q&A]
Data centers are increasingly faced with more sophisticated attack techniques, putting the information they hold at risk.
Specific vulnerabilities such as misconfigurations may pass under the radar of traditional security scans. We spoke to Daniel dos Santos, head of security research at Forescout, to discuss the potential impact of these vulnerabilities and why data centers need to strengthen their risk management.
BN: Can you briefly describe the current threat landscape for data centers and what you would consider to be the greatest threats or techniques they may face?
DdS: There are mainly three types of threat actors targeting data centers nowadays. First, what everyone thinks most about these days are cybercriminals, especially ransomware gangs, which are after money and will typically exfiltrate sensitive information and hold organizations hostage by encrypting data. Second, there are state-sponsored actors, which may conduct espionage and sabotage operations often using very sophisticated malware. Third, there are hacktivists, which were typically associated with denial-of-service attacks but -- partly as a consequence of the ongoing geopolitical conflicts -- have been consistently moving towards leveraging unmanaged devices such as routers to disrupt operations in targeted organizations.
Beyond common threats to endpoints and servers, such as phishing, we observe that remote management protocols like RDP, SSH and Telnet,are the top target for initial access, followed by web attacks and attacks on remote storage protocols, such as SMB and FTP. Many attacks on these protocols rely on weak or default credentials, but exploits are not limited to traditional applications anymore. Common exploits target software libraries such as Log4j, exposed services, such as databases, web applications/servers and email servers, as well as Internet-facing network infrastructure and security appliances, such as firewalls and routers.
In fact, I would consider known and zero-day vulnerabilities in Internet-facing routers and security appliances to be the greatest targets this year. These devices are consistently being exploited by threat actors for initial access, data exfiltration and to proxy command and control communications. Examples include Russian actors targeting corporate routers for reconnaissance and to deploy malware, as well as Chinese actors using routers as proxies and security appliances for initial access.
BN: What examples can you provide of under-the-radar risks or vulnerabilities that data centers may be missing in their traditional security scans?
DdS: There are three things being currently overlooked by data center defenders that either already are or soon will be getting full attention from attackers.
First, hypervisors and virtualization servers have become a major target for ransomware because of the valuable data they store, a growing number of easy to exploit vulnerabilities and the difficulty of implementing security measures, such as endpoint detection and response, on these devices.
Second, there is a multitude of other risky unmanaged devices in data centers, from building automation controllers to uninterruptible power supplies (UPSs), that may be improperly secured. UPSs, for instance, play a critical role in power monitoring and data center power management. CISA has alerted about threat actors targeting UPSs with default credentials, and we have observed hacktivists targeting those devices. Building automation controllers have public exploits that can be easily leveraged by any attacker. Attacks on these devices can have physical effects, such as switching off the power in a critical location or tampering with voltage to damage sensitive equipment.
Third, the Border Gateway Protocol (BGP) is used nowadays for internal routing in most large data centers. Following the network function disaggregation trend, today many leading implementations are open source – and may contain software vulnerabilities. A lot of (deserved) attention is given to aspects of BGP security that can be mitigated with the use of RPKI and BGPsec. However, recent BGP incidents show that it might take only a malformed packet to cause a large disruption. We recently uncovered three new vulnerabilities in a popular open-source routing suite that highlight an often-overlooked aspect of routing and data center security: BGP message parsing.
BN: What are the implications of these overlooked vulnerabilities, if they were to be exploited?
DdS: Vulnerabilities in hypervisors and virtualization servers can allow threat actors to gain initial access into an organization's network and either deploy ransomware there or leverage the obtained data to move further into the network, potentially causing even more damage.
Default credentials and public exploits for unmanaged devices such as UPSs and building automation controllers can lead threat actors to switch off or even cause physical damage to a data center by tampering with power, temperature, access control and other physical settings of a facility.
Vulnerabilities in routing protocols can be exploited to prevent routers from communicating internally or externally, essentially cutting off a data center from the Internet and rendering its services unreachable.
BN: How do data centers need to evolve their vulnerability assessments in 2023 in order to defend against these risks?
DdS: Data center operators need to extend their risk assessment and mitigation beyond the traditional servers and endpoints into all the assets in a network. This includes inventorying and performing vulnerability assessment for network infrastructure, IoT and operational technology devices, including the protocols they run and the software components in their supply chain -- be they open or closed-source.
The last point is crucial. Because of supply chain issues and the lack of software bills of materials (SBOMs), it is often not enough to rely only on security advisories from device vendors to understand the vulnerabilities on a device and ultimately on a network -- since the vendors themselves may not be aware their devices are affected. Cybersecurity solutions that can understand the attack surface and assess devices for specific vulnerabilities are needed.
BN: What are some specific steps data centers can take to proactively strengthen their risk management strategies?
DdS: Traditional cyber hygiene practices such as asset inventory, patching, credential management and network segmentation must be extended to encompass the entire digital landscape of a data center. Data center operators must prioritize the increased attack surface discussed here based on up-to-date threat intelligence showing what types of devices are currently targeted.
Start by focusing on your routers, security appliances and virtualization servers. Ensure that you have full visibility on these assets and that they comply with your organization's security policies. Then, extend this to emerging classes of targeted devices, such as UPS and building automation controllers.
To mitigate the risks of vulnerable routing and BGP implementations, the best recommendation is to patch network infrastructure devices as often as possible. To do so, you must first have an updated asset inventory that keeps track of all the networking devices in your organization and the versions of software running on them. This is much easier to achieve with software that provides granular visibility for every device in the network.