Data Theft Using Rack PDUs

Welcome back. Last time, we looked at the general manner about how data in a rack rack can be compromised via an SNMP DDoS attack . This week, in our second part, we look at Data Theft Using Rack PDUs.  This includes the specifics of how an SNMP attack can be launched to actually steal information from your servers via your rack PDU.

The first and most important thing to understand is that, in today’s cyber world, the majority of large-scale and/or sophisticated cyber theft involves the use of Malware. Malware is planted in obscure places in order that suspicions are not aroused. The better the Malware is hidden, the better its chances of success.  When a well-positioned Malware implantation is successful, data theft often goes undetected for months before being discovered.  In fact, according to the Ponemon Institute, more than 90% of successful cyber attacks are discovered more than 3 months after they began!

We have been fortunate enough to have run cybersecurity tests on many different brands of small UPS’s and PDU’s and the results have been eye-opening.  We have been able to view actual activities of cyber criminals and have learned how they carry out their craft. In the specific Malware attack that we will focus on today, SNMP devices within close proximity to valuable data are implanted with Malware and that Malware is then used to discover and ultimate launch an attack on a data source.  That data source can be servers, storage systems, copiers and printers because all are managed with SNMP.

How is the Malware planted? Normally via phishing or via implanting the Malware on a mobile device that is carried into a data center or data room. In other words, much of this Malware is implanted within devices without the knowledge of a user. But, in today’s BYOD world, once a device is infected, its easy for the Malware in that device to look for a target system to infect.

An SNMP device makes a near perfect device in which to implant Malware for the following reasons:

  • SNMP is the most universally used management protocol
  • SNMP devices broadcast their presence to other SNMP devices on the network
  • SNMP devices are easily compromised due to SNMP’s lack of security (yes, please read previous blogs to see that even SNMPv3 is vulnerable)

Now let’s discuss what we have seen in the world. We have seen live scans that show the SNMP ports of rack UPS and PDU systems being penetrated by cyber criminals. We have then seen Malware implanted on these systems. That Malware then scans for other SNMP devices on the network looking for sensitive data and, finally, when the data is located, it is copied and sent from the UPS or PDU to a remote server owned by the cyber criminal. Amazingly enough, these Botnets are so well built that they even load their own file management system to protect the stolen data and this all happens on the SNMP chip of a UPS or PDU. Amazing!

Some might read this an think that they are protected because they have a firewall. I would politely point out in reply that Sony had firewalls; Home Depot had firewalls and Target had firewalls. All three of these companies were robbed of valuable data through the use of Malware that was planted deep within their networks. In all of these cases, it took considerable time after the infection occurred to realize that they had been stolen-blind. In all 3 cases, it was far to late to stop enormous damage from being done.

If we are to successfully battle cyber theft, we must realize two things:

  1. Just because you can’t see it doesn’t mean that its not there. Think about Malware as a tiny virus that is only visible under an electron microscope. Only a few even own an electron microscope, let alone know where to look for the virus.
    You must be vigilant to block all known means of Malware entry. Please realize that this is no game. The cyber criminals, including nation-states, are happy when people think their Malware couldn’t be inside of their systems.
  2. If you have critical data in a rack, you need to block access to the SNMP management ports on your UPS, PDU and other rack power and environmental infrastructure. But, at the same time, you still need to manage that infrastructure. It is that unique combination of cyber protection and management of operational and physical data that are the key features of the RackGuardian system.

Please think about these facts and we are more than happy to have a confidential discussion of protecting your Rack PDU and UPS units to protect your data.

Until Next Time,

Be Well!