Mostly those all boil down to:
1. Shit-to-no backup solution in place. 2. Poor segmentation from a network/identity/privilege perspective.
Datacenters usually have this kind of stuff down pretty well or they don't stay in business very long.
Additionally, traditional ransomware attacks start as client-side attacks[phishing/fake search engine results promising app updates/etc]. This kind of attack works way better against Mary Sue in accounting or Chuck in sales but the scenario of Datacenter admins checking their Gmail on admin workstations or servers is hopefully insanely rare or never.
https://www.datacenterknowledge.com/cyrusone/cyrusone-confir...
https://www.datacenterknowledge.com/equinix/data-center-gian...
https://www.datacenterknowledge.com/manage/ransomware-grows-...
There was another vendor, that didn't publicize their attack. I can confirm it hit Konica Minolta. Vector was through one of their data center providers. https://www.bleepingcomputer.com/news/security/business-tech...
Datacenters hold machines which can belong to many different companies, and there can be intranets between them, but otherwise they are equivalent to being connected to the Internet.
- They mostly run Linux
- They don't execute arbitrary code or binaries
- They are hardened by default
- Servers mostly sit behind layers of firewalls and load balancers
- Machines/VMs are isolated from each other
- They have backup and disaster strategies in place
It does happen though. Equinix was hit last year in a limited fashion.
So imagine company A has a cabinet full of machines. The fact that company B has a cabinet full of machines in the same building doesn't make it more likely that it gets infected.
It would then go to follow that the staff are highly cognizant of things like phishing attacks, which is one of the ways ransomware propagates.
The data center doesn’t just have to worry about ransomware just because they can get locked out of their business software, worse yet an attacker could simply approve themselves for physical access and gain access to all the tenants machines by proxy, so there is a lot motivating the data center to proactively mitigate this stuff.
Presumably an automated scan eventually found it (after a few weeks or so).
IIUC, someone manually logged in to start a crypto miner on it.
Moral of story: "a quick thing" needs to mean "15 minutes or less", or a scenario where I'm constantly connected.
(And as an aside, the hunt continues for a decent VNC app for Android that combines the usability of RealVNC with compatibility with host-based TLS auth... I _would_ like to permanently stop worrying about passwords...)
- We in fact heard it a lot. "X is down" "X is Affected" ("when a person is victim of extortion is called extortion, but if a nation, is called terrorism? global politics?")
- The owners of the data centers have a lot of money, but also are more ruthless to deal with "treats" from street-level criminals "give us money or...or.. or.. elseeee!" "ELSE". Also, can hit back harder (?) ("steal from granny is easy but from a tank crew not so much?")
- Also, the money mean pay peanuts now is easy to keep things quiet, and solve it internally is not that big of a deal (this one I know - once, by somebody that I don't think was lying!- from banks: The guys are targeted and breached more than people know but who cares? too much money and they can call a BOSS in the military/police to deal later with it)
If you can get root on any internet connected machine for instance you wouldn't attack a data center.
I'm not sure what the 'thing' in a data centre would be that you would hack that's unique? Would it be switching equipment? But then what, a OS zero day, why not hit computers with the zero day not behind switching equipment.
(Obviously they get "hit" all the time, most the data being ransomed probably sits encrypted in a data center, along with REvils house possibly also a data center, currently their onion site being down means their data center maybe has been hacked by a 3LA)
Data centers execute code and that could be hacked
1. I initially found it curious that https://news.ycombinator.com/item?id=13718752 ("Cloudflare proxies are dumping uninitialized memory") never seemed to made the mainstream news, while Heartbleed did. There are some awkward conspiracy arguments there, but I eventually realized that there's also the fact that people can just make mistakes at the end of the day, and while Heartbleed was very arguably in the public interest because individuals everywhere needed to take action to keep their systems (arguably) secure, making a website and silly name to highlight the security implications of a single company's mistake just... has the wrong tone, and it doesn't seem too much of a stretch to see major news coverage as somewhat similarly interfering and unhelpful.
2. There was discussion here ~some years ago about a random analytics test portal someone found that, when logged into (with "demo"/"password" or something similar) from a cellular device's IP, doxxed the name/address/last-4 of SSN (or possibly the whole thing, unsure)/etc of the account owner if that device was signed up to a particular US telco. Made quite a splash here; never hit the news. Not only was this not a mistake, it was definitely in the public interest: the company in question was clearly buying a realtime feed of $telco's entire IP address table, an item that should simply not have been for sale, and lack of security on the purchaser's part meant an unbounded number of individual customers were potentially affected (imagine visiting random websites and having them go "hello $yourname $lastname" and getting it right because they've just crammed an XHR to admin:password@portal.demo/api/whatever in their page, which IIRC had `access-control-allow-origin: *` and everything).
3. I've always found it a cute addition to the marketing video Google put out about their datacenter facilities - https://youtu.be/XZmGGAbHqa0?t=138 prominently features an "Alligators present" sign... but it's probably at least vaguely representative of the reality. These places have to deal with all kinds of insanity.
4. There was a story on here a little while back about the Cellebrite analyser (https://news.ycombinator.com/item?id=25522220). Reading the comments, I had a bit of a epiphany about one possible reason why Facebook, Whatsapp, Google, etc, actively want to use end-to-end encryption, which I wrote up at https://news.ycombinator.com/item?id=25522220: owning potentially hundreds of trillions of messages represents an untenable liability. I've read comments here that suggest most security products are good up to $1 million dollars, and a lot of security infrastructure (as installed on arbitrary servers, workstations, laptops, phones, etc) would begin seriously wobbling at even a fifth of that kind of money. (Apple ranked secure ROM extraction at $250k according to http://ramtin-amin.fr/#nvmedma (possibly published circa ~2015).) The thing is, if you have everyone's* messages - for an expansive, inclusive definition of "everyone" - then the value proposition you represent is comprised by every high-level individual who has sent messages using your platform, PLUS the fact that you have the cohesive bigger picture from group conversations between multiple high-level parties. In this light, spending a billion dollars or more to hack into a datacenter doesn't seem too far fetched; as I noted in the linked writeup, you'd be able to start world wars 4 through 16.
5. I randomly heard anecdata that suggest datacenters periodically experience various interesting hardware faults. The response to my expression of curiosity (https://news.ycombinator.com/item?id=26407909) was extremely reasonable: go out for drinks with the old-timers.