HPE has revealed that data repositories for its Aruba Central network monitoring technology have been hacked, allowing a threat actor to gain access to collected data on monitored devices and their whereabouts. Aruba Central is a cloud networking platform that lets administrators manage massive networks and components from a single dashboard. A threat actor gained an "access key" that allowed them to examine customer data stored in the Aruba Central environment. Between October 9th, 2021, and October 27th, 2021, when HPE revoked the key, the threat actor had access for 18 days.
"The customer personal data in the exposed data repositories consists of device media access control (MAC) address, IP address, device operating system type, and hostname, and, for Wi-Fi networks where authentication is used, the username," HPE and Aruba told customers. "The data repositories also contained records of date, time and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user's location to be determined."
Two datasets were exposed in the repositories, one for network analytics and the other for Aruba Central's 'Contract Tracing' feature. The key was automatically turned off on Oct. 27 as part of HPE's standard security measures, according to the company. The breach was found and reported on Nov. 2, six days after the key was deactivated, according to the company.
"Security monitoring tools deployed inside the Aruba Central environment alerted our Security Operations team to suspicious activity," the company said in its FAQ. "The team investigated the activity and on Nov. 2, 2021 concluded that it had been unauthorized."
In several areas, the FAQ was noticeably lacking in information. For example, the Aruba team estimates that the amount of exfiltrated client data is "extremely tiny, if any at all." However, the corporation is unable to say which specific customers' information was stolen, or which files were accessed and when. Despite the fact that these Aruba Central repositories include client data, the firm claims it does not enable logging for individual file access because the repositories are "used for streaming of high-volume machine learning data."
While the stolen data may not pose a significant security risk in terms of launching subsequent attacks, the physical telemetry and location data of Aruba Central users could be exploited, especially because no one knows who was exposed and what files were seen by the invader as of right now.
