Thousands of MySQL databases are potential victims to a ransom attack that appears to be an evolution of the MongoDB ransack campaign observed a couple months ago, GuardiCore warns.
As part of the attack, unknown actors are brute forcing poorly secured MySQL servers, enumerate existing databases and their tables, stealing them, and creating a new table to instruct owners to pay a 0.2 Bitcoin (around $200) ransom. Paying, the attackers claim, would provide owners with access to their data, but that’s not entirely true, as some databases are deleted without being stolen.
A similar attack came to light in early January, when Victor Gevers, co-founder of GDI Foundation, revealed that thousands of unsecured MongoDB databases were being hijacked, with actors demanding 0.2 Bitcoin for the stolen data. Soon after, other threat actors began hijacking insecure databases, and over 30,000 MongoDB instances fell to the attackers.
With an estimated 35,000 instances exposed to the public Internet, Elasticsearch clusters became targets as well, only to be followed by Hadoop and CouchDB databases within days. Attackers were observed overwriting each other’s ransom notes on the targeted databases, and were no longer copying the original data, but simply deleting it. Victims couldn’t retrieve their data even if they paid the ransom.
Now, MySQL databases are under fire: using online tools, actors search for servers secured with very weak passwords, brute force them to gain access, then replace the databases with their own table containing a ransom note. In some instances, they simply delete the databases without dumping them first, leaving victims with no means to recover the data.
According to the security firm, hundreds of attacks were observed during a 30-hour window starting at midnight on February 12. All attacks were traced to the same IP (18.104.22.168) and were all hosted by worldstream.nl, a Netherlands-based web hosting company, which was notified on the issue a couple of days later. The researchers believe the attackers were using a compromised mail server that also serves as HTTP(s) and FTP server.
Responding to an email inquiry, Ofri Ziv, Research Leader at GuardiCore, told SecurityWeek that the attacks were spread all around the world and didn’t appear to be targeting specific databases. He couldn’t provide an exact estimation of affected databases, but said “we do know of thousands of MySQL servers facing the Internet with weak passwords that are prone to attacks.”
The attacks are strikingly similar with the MongoDB ones, starting with the fact that the attackers are dropping ransom notes named WARNING and PLEASE_READ. However, Ziv says there’s no way to tell for sure whether the same attackers switched to MySQL servers now. “But even if it’s not the case, they were definitely inspired by them,” he told SecurityWeek.
The Bitcoin addresses in the ransom notes show signs of activity, but GuardiCore says that isn’t proof that victims actually paid the ransom. The transactions might have been staged by the actors themselves, in an attempt to encourage victims to pay the ransom.
“Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” GuardiCore notes in a blog post.
The security firm notes that every MySQL server facing the Internet is prone to this attack, and advises administrators to ensure their instances are properly secured using strong passwords and mandatory authentication. Further, admins should minimize the Internet facing services, especially those containing sensitive information.
“Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This way your security team could easily alert on new services being accessed from the internet and enforce a policy which fits those servers (e.g. firewall, data restrictions, etc.). Periodic data backup could allow you restore most of your valuable data without the need to interact with the attacker and provide you with a backup plan should a similar attack occurs,” GuardiCore also notes.