Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers

An anonymous reader writes: Two weeks after cybercriminal groups started to hijack and hold for ransom MongoDB servers, similar attacks are now taking place against CouchDB, Hadoop, and ElasticSearch servers. According to the latest tallies, the number of hijacked MongoDB servers is 34,000 (out of 69,000 available on Shodan), 4,681 ElasticSearch clusters (out of 33,000), 126 Hadoop datastores (out of 5,400), and 452 CouchDB databases (out of 4,600). Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Two security researchers are tracking the attacks on Google spreadsheets, and report that when a ransom is paid, many victims still report that their data is never restored. But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

no ransom 'cause

[turkeydance]

data ain't worth it. "shit".

But it's fast as hell

[Billly+Gates]

They ARE WEBSCALE!

NoSQL DBs make MySQL look good

It's really, really pathetic how often NoSQL DBs make even MySQL look good.

Re:NoSQL DBs make MySQL look good

[Billly+Gates]

But it's fast as hell!

Re:NoSQL DBs make MySQL look good

[Richard_at_work]

Does anyone else remember the shit MS got on here years ago when MS SQL Server was being pwned in the exact same manner - weak default root account passwords...? Or rather, no password at all...

Here we are, 15 years on and very few seemed to have learned anything from the SQL Server debacle.

Re:NoSQL DBs make MySQL look good

[HornWumpus]

Do you know how I know you have never installed MS SQL server?

Re: NoSQL DBs make MySQL look good

[slazzy]

postgresql is still the best. Can be slow if configured incorrectly but it's otherwise an amazing database. https://www.postgresql.org/

Re: NoSQL DBs make MySQL look good

[hlavac]

Postgresql isolation model is shit.

Re: NoSQL DBs make MySQL look good

[mlts]

I've seen PostgreSQL run rings around MongoDB. This being the case, there isn't a real reason to even bother with MongoDB... just stay with something tried and true that has a known good security model.

Job security

[Elentar]

Events like this are what keep sysadmins employed. If you're not paying someone to protect your technology infrastructure, including a layered backup strategy, an effective security policy, and regular audits, this is going to happen to you too.

Re:Job security

[Billly+Gates]

This assumes management actually gives a crap about security. More than likely they will blame you and fire you and just bring in a paper mcse from Bangalore to administer the systems next using the hack as an excuse to cut costs

Re:Job security

[HornWumpus]

An example will have to be made.

Yahoo was/is looking like a good one. They have already lost a cool billion in valuation due to lack of security, ignoring the real payday they passed on a decade or so ago.

Verizon should slowly rake them over the coals, drag it out as long as possible while _punishing_ the shareholders and employees.

The only way

[XparXnoiaX]

That's how it should be. The only way we can ever get corporations to be more secure is by hurting them. A little ransom doesn't hurt.

Well, good

[Sneftel]

Publicly and destructively reminding sysadmins to secure their data, rather than issuing sub rosa demands for bitcoins, is in some sense a reasonable approximation of internet philanthropy. And I notice that -- in contrast to standard ransomware procedure -- backups weren't targeted. More power to them.

Re:Well, good

Security is not my department. If you want your servers secure, you should have done better than have two of your software developers set them up for your company.

Re:Well, good

[know1]

The fact that not all software developers think security is their problem is what is making software worse. Security is EVERYONE'S problem.

Re:Well, good

[DontBeAMoran]

That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.

Re:Well, good

[anchovy_chekov]

That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.

Hence the fiction of the "full stack developer". When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.

Re:Well, good

[know1]

When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.

To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

Re:Well, good

Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.

Re:Well, good

[anchovy_chekov]

To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

True, but it's often not the sort of thing first and foremost in a developers mind. If she/he can connect to a database easily it's one less impediment to getting on with the task of writing code. It takes a different mindset to focus on what could possibly go wrong at a system level.

A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."

Re:Well, good

[ls671]

but, but, they are noSQL databases thus, 100% injection proof... ;-)

Re:Well, good

[know1]

It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.

We weren't talking about that, we were talking about having databases accessible to the public. I'm fully asware there are other attack vectors, but having your DB on a public port/machine is up there with using "p@ssword" as your password.

Re:Well, good

[anchovy_chekov]

but, but, they are noSQL databases thus, 100% injection proof... ;-)

Best belly chuckle of the day!

Re:Well, good

[HornWumpus]

In my experience, at least half of working DBAs are just vastly overpaid backup monkeys.

Even among the 'good ones' you'll find a lot more competent SQL programmers then competent security specialists.

Of course 'security specialists' aren't, as a group, all that useful either.

The real problem is hiring and HR. It is a critical role and is almost always filled by someone who wouldn't know a competent computer geek if he was chewing her.

Re:Well, good

[HornWumpus]

Some people would say having your DB server running the same OS as your web server is equally insecure/stupid.

Granted it's usually DB2/AS400 (or some other half dead ecosystem) people saying it. But fundamentally, they have a point.

Re:Well, good

[HornWumpus]

If developers are routinely attaching to live servers, you have deeper problems.

Many places, more or less, require you to run a development DB copy local, just to escape the 'preventers of information services' from bogging you down.

Re:Well, good

[cerberusss]

A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."

Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.

Re: Well, good

[MachineShedFred]

I don't know how many times I've had to tell developers that source code is not the place for credentials to be stored. They give me some whiner line or another, and that's when I ask them if they know exactly who has access to read their code once they push their commit, and how they are going to answer to the SOX auditors (and company executives) because I'm not going to cover their ass after specifically setting up infrastructure for dealing with securing credentials that they are too lazy to use.

Strangely, they see the light and start doing it the right way. And then I rotate the password that they had already put into git, since it would still be in the commit history. /sigh

Re:Well, good

[anchovy_chekov]

Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.

*Chuckle*

"And can I introduce you to the chief of our QA department. Apologies for the headless bodies of software developers, that's just the way she works."

Re:Well, good

[gl4ss]

non validating html and css in a project that is otherwise secure is still better than something that gets pwned.

look, people don't need to be experts in ALL domains. they just need to think "how the snotty boy next door is going to pwn this" and that's already enough. however the way things go nowadays is that people throw together a template prototype and the management sells that as a product to the customer - eos - then IF the project is something that actually makes money then MAYBE it is thought through again from any kind of security viewpoint,

if project management happens to separate concerns in the project enough that only the project management(who doesn't understand or car) would know all the things to answer that question then the problem is right there.

so your view is a pretty moran view. nobody cares if the html and css validates- they care if it renders. and on the other hand nobody fucking cares if your html and css validates if it doesn't render in the browser the audience of the website is using!

No ransom? Unthinkable!

[know1]

> the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet." Glad to see there's still some people doing it for the lulz.

Re:No ransom? Unthinkable!

That was for the lulz? Don't replace everything with a boring string. Instead, make lots of subtle changes. Lower all prices by 10-20% if it is a shop. Swap first and last names. Replace any zipcode with its square root.

Repeat weekly, "for the lulz". See how many months you can keep doing it. Be creative in your destruction!

left their web-based admin panel open to remote co

[mmell]

And got exactly what they deserved.

I hope all of these admins are now getting well deserved unemployment checks. This was just plain stupid, and not being a security expert is no excuse.

The only surprise is it took so long

[gweihir]

I expect that quite a few people knew that there were a lot of not adequately secured and Internet-visible DB installations. It was only a question of time until somebody with the criminal energy to use that came along.

Morale: If it is insecure and connected to the Internet, it will get hacked sooner or later.

Re:left their web-based admin panel open to remote

[gweihir]

While I sort-of agree, with management always looking for cheapest (not "cheapest possible that still gets the job done"), their replacements will likely be worse.

Oh this just gets better and better...

[mhkohne]

>Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.

Well yea, they've extracted much of the money they are going to get from the victims (people are fixing things, or failing to pay because they've been hacked 6 times in a row and have no idea how to get their data.)

>But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

I was wondering when we'd start to see this kind of activity. I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing. Morally I can't justify breaking other people's stuff just because they are a pain in my ass, but clearly there's someone out there who doesn't share my values.

Re:Oh this just gets better and better...

[djinn6]

I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing.

Immoral or not, I'd love to see botnet operators installing security patches on the devices they control, just so they won't get reinfected by the bricking code.

Re:Oh this just gets better and better...

[AmiMoJo]

Unfortunately bricking IoT devices is likely to be the only solution for many of them. Say you are an ISP and you find that a popular model of IoT lightbulb has created a vast botnet inside your network. If you don't do something about it your network will start to get blacklisted and blocked to mitigate the damage. The vendor isn't interested in updating the firmware, and even if they did you have no way to force all users to take the update and just contacting them will cost you a small fortune.

So you block their servers at the DNS level, maybe block the outgoing ports they use too. Lots of ISPs already block port 25 for this exact reason - too many infected PCs sending spam.

Naturally the bulb no longer works, but most customers will just assume it is broken and buy another one from eBay, or call you so that you can explain how their lightbulb has a virus and had to be blocked.

Re: left their web-based admin panel open to remot

[mmell]

That's true. Cream may rise to the top, but shit floats.

Ransomware

[cstacy]

Ransomware is web scale!

Re: left their web-based admin panel open to remot

[AJWM]

But, does shit float in cream?

Enquiring minds want to know.

Rookie mistake

[plopez]

Always secure your admin console. Make sure they do not ever listen to remote addresses, 127.0.0.1 is a good address to use. Also make sure it have a nice long secure password and after updates and patches test the login. Negative test it. That's just basic DBA work. It can even be scripted.

This strange effect

[sad_]

"What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

Sad times when a thing like this is now considered strange, why-o-why didn't the hacker ask for money!?