Chinese state-sponsored spies have been spotted inside a global engineering firm’s network, having gained initial entry using an admin portal’s default credentials on an IBM AIX server.
In an exclusive interview with The Register, Binary Defense’s Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim’s three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer’s IT environment for four months while poking around for more boxes to commandeer.
It’s a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.
Emphasis mine.
“Hmm, yes. Let’s connect this server to our trusted network and never touch it again.” FFS.
Lol, yeah.
The Slashdot article that led me to the original was slanted to say “legacy IT” equipment was the cause and had the distinct subtext that had they been using cloud for everything, they would have been fine.
Nope, this is 100% failure to provision and secure equipment correctly. And cloud doesn’t mean anything for security, especially given how many sensitive files have been left in wide-open, publicly accessible S3 buckets.