Slashdot Mirror

← Back to Stories (view on slashdot.org)

Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers (bleepingcomputer.com)

Posted by EditorDavid on from the in-ur-database-killin-ur-data dept.

An anonymous reader writes: Two weeks after cybercriminal groups started to hijack and hold for ransom MongoDB servers, similar attacks are now taking place against CouchDB, Hadoop, and ElasticSearch servers. According to the latest tallies, the number of hijacked MongoDB servers is 34,000 (out of 69,000 available on Shodan), 4,681 ElasticSearch clusters (out of 33,000), 126 Hadoop datastores (out of 5,400), and 452 CouchDB databases (out of 4,600). Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Two security researchers are tracking the attacks on Google spreadsheets, and report that when a ransom is paid, many victims still report that their data is never restored. But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

9 of 67 comments (clear)

  1. Job security by Elentar · · Score: 4, Insightful

    Events like this are what keep sysadmins employed. If you're not paying someone to protect your technology infrastructure, including a layered backup strategy, an effective security policy, and regular audits, this is going to happen to you too.

    --
    The wheel it turns, around and around, with an ancient rumbling sound.
    1. Re:Job security by Billly+Gates · · Score: 3, Insightful

      This assumes management actually gives a crap about security. More than likely they will blame you and fire you and just bring in a paper mcse from Bangalore to administer the systems next using the hack as an excuse to cut costs

      --
      http://saveie6.com/
  2. Well, good by Sneftel · · Score: 3, Insightful

    Publicly and destructively reminding sysadmins to secure their data, rather than issuing sub rosa demands for bitcoins, is in some sense a reasonable approximation of internet philanthropy. And I notice that -- in contrast to standard ransomware procedure -- backups weren't targeted. More power to them.

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    1. Re:Well, good by know1 · · Score: 3, Interesting

      The fact that not all software developers think security is their problem is what is making software worse. Security is EVERYONE'S problem.

    2. Re:Well, good by anchovy_chekov · · Score: 3, Interesting

      That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.

      Hence the fiction of the "full stack developer". When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.

    3. Re:Well, good by anchovy_chekov · · Score: 3, Interesting

      To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

      True, but it's often not the sort of thing first and foremost in a developers mind. If she/he can connect to a database easily it's one less impediment to getting on with the task of writing code. It takes a different mindset to focus on what could possibly go wrong at a system level.

      A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."

    4. Re:Well, good by ls671 · · Score: 3, Funny

      but, but, they are noSQL databases thus, 100% injection proof... ;-)

      --
      Everything I write is lies, read between the lines.
  3. The only surprise is it took so long by gweihir · · Score: 3, Insightful

    I expect that quite a few people knew that there were a lot of not adequately secured and Internet-visible DB installations. It was only a question of time until somebody with the criminal energy to use that came along.

    Morale: If it is insecure and connected to the Internet, it will get hacked sooner or later.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Oh this just gets better and better... by mhkohne · · Score: 4, Insightful

    >Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.

    Well yea, they've extracted much of the money they are going to get from the victims (people are fixing things, or failing to pay because they've been hacked 6 times in a row and have no idea how to get their data.)

    >But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

    I was wondering when we'd start to see this kind of activity. I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing. Morally I can't justify breaking other people's stuff just because they are a pain in my ass, but clearly there's someone out there who doesn't share my values.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.