The scourge of ransomware is undoubtedly the most serious cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency like Bitcoin, in exchange for the recovery service. Online extortionists are constantly diversifying their attack vectors to affect as many victims as possible. The rise of database ransomware in 2017 demonstrates this unsettling evolution. The threat actors who chose to zero in on servers rather than end users have had a huge success implementing their novel tactics.
MongoDB servers turn out an easy target
A massive campaign targeting MongoDB servers broke out at the beginning of January this year. It was the first-ever instance of malefactors compromising open-source database platform implementations on a large scale. A black hat hacker known in the cybercrime underground under the alias “Harak1r1” was able to identify and attack numerous poorly protected MongoDB installations across the globe. The workflow of these breaches is as follows: the crook gains unauthorized access to databases, exfiltrates their content and replaces it with a ransom note. Server owners are instructed to submit 0.2 Bitcoin, which is currently worth about $210, to get the hostage data back.
Shortly after this extortion model took root, a powerful criminal group called Kraken got interested and stepped in. This involvement resulted in the increase of ransomed MongoDB servers from 10,000 to a whopping 28,000 in less than a week. The total amount of data stolen by the attackers reached about 93 terabytes. Several dozen victims reportedly ended up coughing up the requested ransom. However, they never got their data back. It’s likely that the crooks were bluffing about the deal in that they simply erased the information without actually exporting it anywhere.
The reason why so many MongoDB instances became a low-hanging fruit for the bad guys is all about lack of caution on the administrators’ end. The campaign in question hit Internet-facing databases with the default configuration unaltered. The ne’er-do-wells behind the attacks could, therefore, gain access to these unsecured servers by guessing or brute forcing the password. None of this would have happened if admins had set up proper access control and authentication.
Hadoop and CouchDB databases at risk
A new wave of database attacks started hitting the headlines in mid-January 2017. This time, the same group of hackers went after servers running the Hadoop and CouchDB data management platforms. Similarly to the above-mentioned MongoDB incidents, these breaches result in hijacking unsecured servers and deleting their data. The extortion part involves a ransom demand, where the hackers pressure the infected organizations into paying 0.2 Bitcoin to restore proprietary information.
Another common denominator in the two campaigns is that the fraudsters spot and compromise default installations of Hadoop and CouchDB databases with very weak authentication. Effectively, no malware or phishing tricks are involved – simply guessing administrative credentials is enough to pull of these attacks. The most adverse nuance of the breach aftermath is that the data is erased beyond recovery, so submitting the ransom won’t help.
About the same time, an individual who goes by the online handle “Kraken0” releases a ransomware kit that automates the process of detecting and hacking into poorly protected databases. This kit is available for sale on darknet resources, the price being $200. Wannabe crooks must have really appreciated such an opportunity to go pro.
MySQL databases aren’t much safer
Ransomware deployers didn’t pass by vulnerable MySQL installations either. Servers running this popular database management system have been subject to extortion attacks since February 12. Although the first wave lasted only 30 hours, it succeeded in compromising hundreds of MySQL databases globally. The anatomy of the attacks is invariable: defeat authentication and access a server, delete database content and then ask for 0.2 Bitcoin. Unfortunately, most of the time the criminals don’t dump the data for real, so recovery is unfeasible.
This breach may go two different routes. One of them presupposes adding a new table called “WARNING” to the existing database. This is a recovery how-to providing the attacker’s email address, a Bitcoin wallet address, and the amount to be paid. The server administrator is instructed to visit a specific page using the Tor Browser and follow further directions listed on the darknet site. The other scenario engages a new database containing a table called “PLEASE_READ”. This edition of the ransom note tells victims to submit the specified amount of cryptocurrency and then send the plagued IP address or database name to email@example.com. In either case, the perpetrators don’t keep their promises and never give the hostage data back.
The bottom line
All of the recent database hack incidents demonstrated that the data management platforms per se are not to blame for these predicaments. Whether it’s MongoDB, Hadoop, CouchDB or MySQL – each one provides plenty of security capabilities and information protection options, including advanced authentication, access control, and data encryption.
It’s unprofessional implementation of these databases that allows these attacks to get through. The malefactors can simply scan Shodan, a search engine for online-accessible devices, to find vulnerable servers. The rest is a matter of low-level hacking. So IT executives are strongly recommended to keep their database software up to date and leverage security features that go with every such platform.
Contributed by David Balaban
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.