At the beginning of October, our company faced a serious hacker attack.
To ensure the operability of our services for all of our clients all around the world, we have several nodes - in different data centers across the globe. It was one of these nodes that was attacked and completely disabled.
How is this possible? All of our servers are well protected and accept management requests only from addresses known to us, and the authentication by username and password is generally prohibited, which makes it impossible to log on using brute force or a directory attack. However, this attack turned out to be successful. The reason is that the hackers were not trying to get access to our system, they got access to the hardware. They used vulnerabilities in the Supermicro software, a US manufacturer of server motherboards. It is a very large and well known manufacturer of server hardware with a good reputation. For the sake of convenience of remote server administration, the manufacturer has a hardware and software complex called "Supermicro IPMI", which allows you to remotely connect to the I / O system of the motherboard and thus directly control the hardware. Naturally, it provides protection against unauthorized access. However, several critical vulnerabilities have been discovered in recent years. Access to this utility on all our servers is also restricted to addresses known to us. However, on one single server, due to uncoordinated actions of the technical support of the data center, no such restrictions were set. Due to this set of circumstances (lack of access restrictions and presence of vulnerabilities) intruders were able to get access to our equipment.
What were the consequences? As a result of malefactors' actions all the information on one of the servers was destroyed. But it didn't affect our clients in any way. The load of serving our customers was taken by neighboring nodes. No customer data was stolen (it was never there), no customer statistics or settings were lost, since they were copied on all other nodes. After a few days the situation was completely normalized: we examined the problem, restored the functionality of the node and ensured its further security.
But why were we attacked? Most likely, because we have some data to steal. Just like any other company, large or small, IT-related or not at all. Bear this in mind when you underestimate a hacker's interest in your data.
In any case, the hackers did not manage to do any damage to our clients and no tangible damage to ourselves. However, it certainly added to our experience. Usually, everyone keeps a close eye on vulnerabilities in the OS, software code, libraries used, and so on. Rarely does anyone think about the fact that it is important to keep an eye on updating the motherboard firmware (BIOS) or its individual components (IPMI) for security in general. Especially since technically it is quite a complicated process. Hopefully, our story has reminded you to do both.
To prevent yourself & your company from similar cases, trust SafeDNS to provide you with DNS Security. Start your free trial for Business now with 20% off. Use code BlackFriday_20 at payment.