Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers (bleepingcomputer.com)

Posted by EditorDavid on Sunday January 22, 2017 @09:50AM from the in-ur-database-killin-ur-data dept.

An anonymous reader writes: Two weeks after cybercriminal groups started to hijack and hold for ransom MongoDB servers, similar attacks are now taking place against CouchDB, Hadoop, and ElasticSearch servers. According to the latest tallies, the number of hijacked MongoDB servers is 34,000 (out of 69,000 available on Shodan), 4,681 ElasticSearch clusters (out of 33,000), 126 Hadoop datastores (out of 5,400), and 452 CouchDB databases (out of 4,600). Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Two security researchers are tracking the attacks on Google spreadsheets, and report that when a ransom is paid, many victims still report that their data is never restored. But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

67 comments

Min score:

Reason:

Sort:

no ransom 'cause by turkeydance · 2017-01-22 09:57 · Score: 1

data ain't worth it. "shit".
But it's fast as hell by Billly+Gates · 2017-01-22 10:00 · Score: 2

They ARE WEBSCALE!

--
http://saveie6.com/
NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 10:01 · Score: 2, Insightful

It's really, really pathetic how often NoSQL DBs make even MySQL look good.
1. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 10:23 · Score: 0
  
  You misspelled MSSQL!
2. Re:NoSQL DBs make MySQL look good by Billly+Gates · 2017-01-22 10:29 · Score: 1
  
  But it's fast as hell!
  
  --
  http://saveie6.com/
3. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 10:40 · Score: 0
  
  security wise MS SQL is quite good, definitely in the top tier. MySQL by comparison is still in the shitter being slightly worse than Oracle.
4. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 11:13 · Score: 0
  
  How does this make an argument of my SQL look better or not?
5. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 12:01 · Score: 0
  
  Yeah good luck putting a MSSQL with open ports on the Internet.
6. Re:NoSQL DBs make MySQL look good by Richard_at_work · 2017-01-22 12:16 · Score: 1
  
  Does anyone else remember the shit MS got on here years ago when MS SQL Server was being pwned in the exact same manner - weak default root account passwords...? Or rather, no password at all...
  Here we are, 15 years on and very few seemed to have learned anything from the SQL Server debacle.
7. Re:NoSQL DBs make MySQL look good by HornWumpus · 2017-01-22 12:43 · Score: 1
  
  Do you know how I know you have never installed MS SQL server?
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
8. Re: NoSQL DBs make MySQL look good by slazzy · 2017-01-22 12:49 · Score: 1
  
  postgresql is still the best. Can be slow if configured incorrectly but it's otherwise an amazing database. https://www.postgresql.org/
  
  --
  Website Just Down For Me? Find out
9. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-22 19:57 · Score: 0
  
  No. I've yet to see Postgres beat MySQL (specifically Percona) either for performance or useful features. The proviso is, of course, experienced people configuring both DBs.
10. Re: NoSQL DBs make MySQL look good by hlavac · 2017-01-22 21:53 · Score: 1
  
  Postgresql isolation model is shit.
11. Re: NoSQL DBs make MySQL look good by mlts · 2017-01-23 03:49 · Score: 1
  
  I've seen PostgreSQL run rings around MongoDB. This being the case, there isn't a real reason to even bother with MongoDB... just stay with something tried and true that has a known good security model.
12. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-23 03:53 · Score: 0
  
  MySQL only look like a database but it terribly unreliable in case of unexpected shutdown of the hardware. Postgresql _IS_ a real database.with perfect reliability. It now even support unstructured data even more faster than the dedicated unstructured database. Try it, you will never leave it.
13. Re: NoSQL DBs make MySQL look good by Anonymous Coward · 2017-01-23 08:00 · Score: 0
  
  That's alt-facts.
Job security by Elentar · 2017-01-22 10:07 · Score: 4, Insightful

Events like this are what keep sysadmins employed. If you're not paying someone to protect your technology infrastructure, including a layered backup strategy, an effective security policy, and regular audits, this is going to happen to you too.

--
The wheel it turns, around and around, with an ancient rumbling sound.
1. Re:Job security by Billly+Gates · 2017-01-22 10:22 · Score: 3, Insightful
  
  This assumes management actually gives a crap about security. More than likely they will blame you and fire you and just bring in a paper mcse from Bangalore to administer the systems next using the hack as an excuse to cut costs
  
  --
  http://saveie6.com/
2. Re:Job security by HornWumpus · 2017-01-22 11:54 · Score: 1
  
  An example will have to be made.
  Yahoo was/is looking like a good one. They have already lost a cool billion in valuation due to lack of security, ignoring the real payday they passed on a decade or so ago.
  Verizon should slowly rake them over the coals, drag it out as long as possible while _punishing_ the shareholders and employees.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
The only way by XparXnoiaX · 2017-01-22 10:15 · Score: 1

That's how it should be. The only way we can ever get corporations to be more secure is by hurting them. A little ransom doesn't hurt.

--
Irresponsible disclosure is responsible
Well, good by Sneftel · 2017-01-22 10:19 · Score: 3, Insightful

Publicly and destructively reminding sysadmins to secure their data, rather than issuing sub rosa demands for bitcoins, is in some sense a reasonable approximation of internet philanthropy. And I notice that -- in contrast to standard ransomware procedure -- backups weren't targeted. More power to them.

--
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
1. Re:Well, good by Anonymous Coward · 2017-01-22 10:33 · Score: 1
  
  Security is not my department. If you want your servers secure, you should have done better than have two of your software developers set them up for your company.
2. Re:Well, good by know1 · 2017-01-22 10:36 · Score: 3, Interesting
  
  The fact that not all software developers think security is their problem is what is making software worse. Security is EVERYONE'S problem.
3. Re:Well, good by DontBeAMoran · 2017-01-22 10:39 · Score: 1
  
  That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.
  
  --
  #DeleteFacebook
4. Re:Well, good by anchovy_chekov · 2017-01-22 10:52 · Score: 3, Interesting
  
  That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.
  Hence the fiction of the "full stack developer". When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.
5. Re:Well, good by know1 · 2017-01-22 10:58 · Score: 2
  
  When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.
  To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.
6. Re:Well, good by Anonymous Coward · 2017-01-22 11:06 · Score: 2, Interesting
  
  Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.
  It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.
7. Re:Well, good by anchovy_chekov · 2017-01-22 11:14 · Score: 3, Interesting
  
  To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.
  True, but it's often not the sort of thing first and foremost in a developers mind. If she/he can connect to a database easily it's one less impediment to getting on with the task of writing code. It takes a different mindset to focus on what could possibly go wrong at a system level.
  
  A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."
8. Re:Well, good by ls671 · 2017-01-22 11:17 · Score: 3, Funny
  
  but, but, they are noSQL databases thus, 100% injection proof... ;-)
  
  --
  Everything I write is lies, read between the lines.
9. Re:Well, good by know1 · 2017-01-22 11:22 · Score: 1
  
  It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.
  We weren't talking about that, we were talking about having databases accessible to the public. I'm fully asware there are other attack vectors, but having your DB on a public port/machine is up there with using "p@ssword" as your password.
10. Re:Well, good by anchovy_chekov · 2017-01-22 11:33 · Score: 1
  
  but, but, they are noSQL databases thus, 100% injection proof... ;-)
  Best belly chuckle of the day!
11. Re:Well, good by HornWumpus · 2017-01-22 12:01 · Score: 1
  
  In my experience, at least half of working DBAs are just vastly overpaid backup monkeys.
  Even among the 'good ones' you'll find a lot more competent SQL programmers then competent security specialists.
  Of course 'security specialists' aren't, as a group, all that useful either.
  The real problem is hiring and HR. It is a critical role and is almost always filled by someone who wouldn't know a competent computer geek if he was chewing her.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
12. Re:Well, good by HornWumpus · 2017-01-22 13:25 · Score: 1
  
  Some people would say having your DB server running the same OS as your web server is equally insecure/stupid.
  Granted it's usually DB2/AS400 (or some other half dead ecosystem) people saying it. But fundamentally, they have a point.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
13. Re:Well, good by HornWumpus · 2017-01-22 13:28 · Score: 1
  
  If developers are routinely attaching to live servers, you have deeper problems.
  Many places, more or less, require you to run a development DB copy local, just to escape the 'preventers of information services' from bogging you down.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
14. Re:Well, good by jwhyche · 2017-01-22 14:03 · Score: 0
  
  Put the head of your security department on a pike outside the system room, as a example of what failure looks like to his successor.
  
  --
  I read at +2. If your post doesn't reach that level I will not see or respond to it.
15. Re:Well, good by cerberusss · 2017-01-22 20:47 · Score: 1
  
  A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."
  Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.
  
  --
  8 of 13 people found this answer helpful. Did you?
16. Re: Well, good by MachineShedFred · 2017-01-23 01:33 · Score: 1
  
  I don't know how many times I've had to tell developers that source code is not the place for credentials to be stored. They give me some whiner line or another, and that's when I ask them if they know exactly who has access to read their code once they push their commit, and how they are going to answer to the SOX auditors (and company executives) because I'm not going to cover their ass after specifically setting up infrastructure for dealing with securing credentials that they are too lazy to use.
  Strangely, they see the light and start doing it the right way. And then I rotate the password that they had already put into git, since it would still be in the commit history. /sigh
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
17. Re:Well, good by Anonymous Coward · 2017-01-23 02:19 · Score: 0
  
  There are plenty of companies who have restructured like that who still use that as a basic tenet. What you describe is more of an issue for companies who are basically a rushed to market mashup than having properly designed and built their product. Full stack developer or DBAs don't really come into it. I know several full stack developers who know much more than a lot of DBAs. It's the mindset rather than how the skills are spread among your employees, and interviewing people properly so you can tell the 'full stack developers' apart from the people who are simply putting buzzwords on their CV.
18. Re:Well, good by anchovy_chekov · 2017-01-23 10:41 · Score: 1
  
  Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.
  *Chuckle*
  
  "And can I introduce you to the chief of our QA department. Apologies for the headless bodies of software developers, that's just the way she works."
19. Re:Well, good by gl4ss · 2017-01-23 19:42 · Score: 1
  
  non validating html and css in a project that is otherwise secure is still better than something that gets pwned.
  look, people don't need to be experts in ALL domains. they just need to think "how the snotty boy next door is going to pwn this" and that's already enough. however the way things go nowadays is that people throw together a template prototype and the management sells that as a product to the customer - eos - then IF the project is something that actually makes money then MAYBE it is thought through again from any kind of security viewpoint,
  if project management happens to separate concerns in the project enough that only the project management(who doesn't understand or car) would know all the things to answer that question then the problem is right there.
  so your view is a pretty moran view. nobody cares if the html and css validates- they care if it renders. and on the other hand nobody fucking cares if your html and css validates if it doesn't render in the browser the audience of the website is using!
  
  --
  world was created 5 seconds before this post as it is.
Some men can't be bought or reasoned with by Anonymous Coward · 2017-01-22 10:28 · Score: 0

Some men just want to watch the world burn.
1. Re:Some men can't be bought or reasoned with by Anonymous Coward · 2017-01-22 10:31 · Score: 0
  
  Have you seen the world? It deserves to burn.
Re:Trump by Anonymous Coward · 2017-01-22 10:30 · Score: 0

How do they trump when faggots always have a cock up there?
No ransom? Unthinkable! by know1 · 2017-01-22 10:33 · Score: 1

> the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet." Glad to see there's still some people doing it for the lulz.
1. Re:No ransom? Unthinkable! by Anonymous Coward · 2017-01-23 02:06 · Score: 1
  
  That was for the lulz? Don't replace everything with a boring string. Instead, make lots of subtle changes. Lower all prices by 10-20% if it is a shop. Swap first and last names. Replace any zipcode with its square root.
  Repeat weekly, "for the lulz". See how many months you can keep doing it. Be creative in your destruction!
You're welcome by Anonymous Coward · 2017-01-22 10:42 · Score: 0

Loser.
left their web-based admin panel open to remote co by mmell · 2017-01-22 10:55 · Score: 1

And got exactly what they deserved.
I hope all of these admins are now getting well deserved unemployment checks. This was just plain stupid, and not being a security expert is no excuse.
The only surprise is it took so long by gweihir · 2017-01-22 11:16 · Score: 3, Insightful

I expect that quite a few people knew that there were a lot of not adequately secured and Internet-visible DB installations. It was only a question of time until somebody with the criminal energy to use that came along.
Morale: If it is insecure and connected to the Internet, it will get hacked sooner or later.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:left their web-based admin panel open to remote by gweihir · 2017-01-22 11:17 · Score: 1

While I sort-of agree, with management always looking for cheapest (not "cheapest possible that still gets the job done"), their replacements will likely be worse.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
FFS! by Anonymous Coward · 2017-01-22 11:31 · Score: 0

1. Content that does not need to be indexed, encrypt _before_ inserting.
2. Write a journal of all inserts and updates somewhere, backup offline, so that the database isn't the only authoritative source of information.
3. Have a hot spare of the database running.
Simple shit like that, and other basic stuff. People too lazy to prepare in advance create rods for their own backs. At times like these, it makes me wonder if sysadmins are closet IT masochists who want to be punished for being bad. The worst was that with mongodb, which by default has auth security switched off, some of those who were hacked were hacked because they couldn't be bothered to switch auth security on. Civil engineers that were as sloppy would struggle to keep their career going.
NoSQL == No Security by Anonymous Coward · 2017-01-22 11:55 · Score: 0

Morale: If it is insecure and connected to the Internet, it will get hacked sooner or later.
Corallary: Using complex new technologies that you don't fully understand, like MongoDB or Hadoop, is a sure fire way to get into trouble. Just because the "cool" kids are using it doesn't meant that it's a good choice for your project too. Think before taking something new and shiny into your production code. Do you really need that? Do you have the problem that you think you have? Getting your butt handed to you by hackers is a hell of way to find out that you made the wrong choice. Businesses have failed for less.
Oh this just gets better and better... by mhkohne · 2017-01-22 12:00 · Score: 4, Insightful

>Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Well yea, they've extracted much of the money they are going to get from the victims (people are fixing things, or failing to pay because they've been hacked 6 times in a row and have no idea how to get their data.)
>But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."
I was wondering when we'd start to see this kind of activity. I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing. Morally I can't justify breaking other people's stuff just because they are a pain in my ass, but clearly there's someone out there who doesn't share my values.

--
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
1. Re:Oh this just gets better and better... by djinn6 · 2017-01-22 20:57 · Score: 1
  
  I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing.
  Immoral or not, I'd love to see botnet operators installing security patches on the devices they control, just so they won't get reinfected by the bricking code.
2. Re:Oh this just gets better and better... by AmiMoJo · 2017-01-23 02:16 · Score: 1
  
  Unfortunately bricking IoT devices is likely to be the only solution for many of them. Say you are an ISP and you find that a popular model of IoT lightbulb has created a vast botnet inside your network. If you don't do something about it your network will start to get blacklisted and blocked to mitigate the damage. The vendor isn't interested in updating the firmware, and even if they did you have no way to force all users to take the update and just contacting them will cost you a small fortune.
  So you block their servers at the DNS level, maybe block the outgoing ports they use too. Lots of ISPs already block port 25 for this exact reason - too many infected PCs sending spam.
  Naturally the bulb no longer works, but most customers will just assume it is broken and buy another one from eBay, or call you so that you can explain how their lightbulb has a virus and had to be blocked.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re: by Anonymous Coward · 2017-01-22 12:01 · Score: 0

Thank you for some truth!
Re: left their web-based admin panel open to remot by mmell · 2017-01-22 12:16 · Score: 1

That's true. Cream may rise to the top, but shit floats.
Of course you won't get your data back by Anonymous Coward · 2017-01-22 15:23 · Score: 0

The Elasticsearch attack (the common versions so far) is a wildcard/_all index delete along with the creation of a few attention-getting indexes. Attackers don't bother making a copy of the data (hugely time/space-wasting and pointless -- generally it's just logs or development clusters), and if they did copy the data, they certainly wouldn't hold it securely for the owner.
Your data got deleted, that's all.
It's true, if you leave your keys in the car long enough, someone will drive away in it.
Ransomware by cstacy · 2017-01-22 16:26 · Score: 1

Ransomware is web scale!
Re: left their web-based admin panel open to remot by AJWM · 2017-01-22 18:23 · Score: 1

But, does shit float in cream?
Enquiring minds want to know.

--
-- Alastair
Rookie mistake by plopez · 2017-01-22 18:26 · Score: 1

Always secure your admin console. Make sure they do not ever listen to remote addresses, 127.0.0.1 is a good address to use. Also make sure it have a nice long secure password and after updates and patches test the login. Negative test it. That's just basic DBA work. It can even be scripted.

--
putting the 'B' in LGBTQ+
1. Re:Rookie mistake by Anonymous Coward · 2017-01-22 21:59 · Score: 0
  
  127.0.0.1 is a good address to use.
  Yep. Its mine - so I get all your data!
  --
  You have the right to remain stupid.
This strange effect by sad_ · 2017-01-23 00:14 · Score: 1

"What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."
Sad times when a thing like this is now considered strange, why-o-why didn't the hacker ask for money!?

--
On a long enough timeline, the survival rate for everyone drops to zero.
1. Re:This strange effect by Anonymous Coward · 2017-01-23 21:57 · Score: 0
  
  yéy
Re: Trump by Anonymous Coward · 2017-01-23 01:28 · Score: 0

What a truly inclusive and progressive opinion you have shared. Thanks for convincing me with your surprisingly detailed argument that the Democratic Party is clearly the future I should be voting for.
No wait, you are a bigoted fuck face displaying the characteristics that most people project on to Trump supporters. Go sit on a railroad spike.
block "security" researchers by Anonymous Coward · 2017-01-23 09:49 · Score: 0

Fucks sake, block all so called "security" researchers.