Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers

An anonymous reader writes: Two weeks after cybercriminal groups started to hijack and hold for ransom MongoDB servers, similar attacks are now taking place against CouchDB, Hadoop, and ElasticSearch servers. According to the latest tallies, the number of hijacked MongoDB servers is 34,000 (out of 69,000 available on Shodan), 4,681 ElasticSearch clusters (out of 33,000), 126 Hadoop datastores (out of 5,400), and 452 CouchDB databases (out of 4,600). Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Two security researchers are tracking the attacks on Google spreadsheets, and report that when a ransom is paid, many victims still report that their data is never restored. But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

no ransom 'cause

[turkeydance]

data ain't worth it. "shit".

But it's fast as hell

[Billly Gates]

They ARE WEBSCALE!

NoSQL DBs make MySQL look good

[Anonymous Coward]

It's really, really pathetic how often NoSQL DBs make even MySQL look good.

Re:

[slazzy]

postgresql is still the best. Can be slow if configured incorrectly but it's otherwise an amazing database. https://www.postgresql.org/ [postgresql.org]

Re:

[mlts]

I've seen PostgreSQL run rings around MongoDB. This being the case, there isn't a real reason to even bother with MongoDB... just stay with something tried and true that has a known good security model.

Re:

[hlavac]

Postgresql isolation model is shit.

Re:

[Billly Gates]

But it's fast as hell [youtu.be]!

Re:

[Richard_at_work]

Does anyone else remember the shit MS got on here years ago when MS SQL Server was being pwned in the exact same manner - weak default root account passwords...? Or rather, no password at all...

Here we are, 15 years on and very few seemed to have learned anything from the SQL Server debacle.

Re:

[HornWumpus]

Do you know how I know you have never installed MS SQL server?

Job security

[Elentar]

Events like this are what keep sysadmins employed. If you're not paying someone to protect your technology infrastructure, including a layered backup strategy, an effective security policy, and regular audits, this is going to happen to you too.

Re:Job security

[Billly Gates]

This assumes management actually gives a crap about security. More than likely they will blame you and fire you and just bring in a paper mcse from Bangalore to administer the systems next using the hack as an excuse to cut costs

Re:

[HornWumpus]

An example will have to be made.

Yahoo was/is looking like a good one. They have already lost a cool billion in valuation due to lack of security, ignoring the real payday they passed on a decade or so ago.

Verizon should slowly rake them over the coals, drag it out as long as possible while _punishing_ the shareholders and employees.

The only way

[XparXnoiaX]

That's how it should be. The only way we can ever get corporations to be more secure is by hurting them. A little ransom doesn't hurt.

Well, good

[Sneftel]

Publicly and destructively reminding sysadmins to secure their data, rather than issuing sub rosa demands for bitcoins, is in some sense a reasonable approximation of internet philanthropy. And I notice that -- in contrast to standard ransomware procedure -- backups weren't targeted. More power to them.

Re:

[Anonymous Coward]

Security is not my department. If you want your servers secure, you should have done better than have two of your software developers set them up for your company.

Re:

[know1]

The fact that not all software developers think security is their problem is what is making software worse. Security is EVERYONE'S problem.

Re:

[DontBeAMoran]

That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.

Re:Well, good

[anchovy_chekov]

That's the problem. People who code CANNOT be experts in ALL domains related to their jobs. From my point of view, your extremely secure code ain't worth shit if your HTML and CSS can't even validate.

Hence the fiction of the "full stack developer". When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.

Re:

[know1]

When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.

To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

Re:

[Anonymous Coward]

Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.

Re:Well, good

[ls671]

but, but, they are noSQL databases thus, 100% injection proof... ;-)

Re:

[anchovy_chekov]

but, but, they are noSQL databases thus, 100% injection proof... ;-)

Best belly chuckle of the day!

Re:

[know1]

It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.

We weren't talking about that, we were talking about having databases accessible to the public. I'm fully asware there are other attack vectors, but having your DB on a public port/machine is up there with using "p@ssword" as your password.

Re:

[HornWumpus]

Some people would say having your DB server running the same OS as your web server is equally insecure/stupid.

Granted it's usually DB2/AS400 (or some other half dead ecosystem) people saying it. But fundamentally, they have a point.

Re:Well, good

[anchovy_chekov]

To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.

True, but it's often not the sort of thing first and foremost in a developers mind. If she/he can connect to a database easily it's one less impediment to getting on with the task of writing code. It takes a different mindset to focus on what could possibly go wrong at a system level.

A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."

Re:

[HornWumpus]

If developers are routinely attaching to live servers, you have deeper problems.

Many places, more or less, require you to run a development DB copy local, just to escape the 'preventers of information services' from bogging you down.

Re:

[cerberusss]

A QA once pointed this distinction out to me. As she said, "You want to make beautiful things... and I want to destroy them."

Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.

Re:

[anchovy_chekov]

Now I have this image in my head of a female QA engineer with tentacles, with a gruesome weapon in each one. And I desperately want to make love to it.

*Chuckle*

"And can I introduce you to the chief of our QA department. Apologies for the headless bodies of software developers, that's just the way she works."

Re:

[HornWumpus]

In my experience, at least half of working DBAs are just vastly overpaid backup monkeys.

Even among the 'good ones' you'll find a lot more competent SQL programmers then competent security specialists.

Of course 'security specialists' aren't, as a group, all that useful either.

The real problem is hiring and HR. It is a critical role and is almost always filled by someone who wouldn't know a competent computer geek if he was chewing her.

Re:

[gl4ss]

non validating html and css in a project that is otherwise secure is still better than something that gets pwned.

look, people don't need to be experts in ALL domains. they just need to think "how the snotty boy next door is going to pwn this" and that's already enough. however the way things go nowadays is that people throw together a template prototype and the management sells that as a product to the customer - eos - then IF the project is something that actually makes money then MAYBE it is thought throu

Re: Well, good

[MachineShedFred]

I don't know how many times I've had to tell developers that source code is not the place for credentials to be stored. They give me some whiner line or another, and that's when I ask them if they know exactly who has access to read their code once they push their commit, and how they are going to answer to the SOX auditors (and company executives) because I'm not going to cover their ass after specifically setting up infrastructure for dealing with securing credentials that they are too lazy to use.

Strang

No ransom? Unthinkable!

[know1]

> the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet." Glad to see there's still some people doing it for the lulz.

Re:

[Anonymous Coward]

That was for the lulz? Don't replace everything with a boring string. Instead, make lots of subtle changes. Lower all prices by 10-20% if it is a shop. Swap first and last names. Replace any zipcode with its square root.

Repeat weekly, "for the lulz". See how many months you can keep doing it. Be creative in your destruction!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

While I sort-of agree, with management always looking for cheapest (not "cheapest possible that still gets the job done"), their replacements will likely be worse.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AJWM]

But, does shit float in cream?

Enquiring minds want to know.

The only surprise is it took so long

[gweihir]

I expect that quite a few people knew that there were a lot of not adequately secured and Internet-visible DB installations. It was only a question of time until somebody with the criminal energy to use that came along.

Morale: If it is insecure and connected to the Internet, it will get hacked sooner or later.

Oh this just gets better and better...

[mhkohne]

>Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.

Well yea, they've extracted much of the money they are going to get from the victims (people are fixing things, or failing to pay because they've been hacked 6 times in a row and have no idea how to get their data.)

>But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

I was wondering when we'd start to see this kind of activity. I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing. Morally I can't justify breaking other people's stuff just because they are a pain in my ass, but clearly there's someone out there who doesn't share my values.

Re:

[djinn6]

I suspect we'll eventually start to see this with the IoT devices - someone will hack the botnet code to brick (perhaps temporarily, perhaps permanently) devices that are infectable, so as to reduce the havoc those devices are causing.

Immoral or not, I'd love to see botnet operators installing security patches on the devices they control, just so they won't get reinfected by the bricking code.

Re:

[AmiMoJo]

Unfortunately bricking IoT devices is likely to be the only solution for many of them. Say you are an ISP and you find that a popular model of IoT lightbulb has created a vast botnet inside your network. If you don't do something about it your network will start to get blacklisted and blocked to mitigate the damage. The vendor isn't interested in updating the firmware, and even if they did you have no way to force all users to take the update and just contacting them will cost you a small fortune.

So you blo

Ransomware

[cstacy]

Ransomware is web scale!

Rookie mistake

[plopez]

Always secure your admin console. Make sure they do not ever listen to remote addresses, 127.0.0.1 is a good address to use. Also make sure it have a nice long secure password and after updates and patches test the login. Negative test it. That's just basic DBA work. It can even be scripted.

This strange effect

[sad_]

"What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."

Sad times when a thing like this is now considered strange, why-o-why didn't the hacker ask for money!?