Report: Unsecured, Misconfigured Databases Breached in Just 8 Hours
Comparitech finds it takes hackers less than nine hours to compromise unsecured or misconfigured databases, with attackers proactively targeting data instead of relying on Shodan.
By - New research from Comparitech shows hackers begin targeting online databases just hours after the initial setup process, finding inadvertently unsecured or misconfigured databases can be compromised in just over eight hours.
Misconfigured or unsecured databases have led to several massive healthcare data breaches in recent years. Indeed, IntSights research found about one-third of healthcare databases stored locally and in the cloud were currently exposed to the internet and putting patient data at risk.
For example, TechCrunch discovered a flaw in the back-end of LabCorp’s internal customer relationship management system was exposing patient health data in January 2020. And in August, two third-party vendors reported data breaches caused by misconfigured databases, exposing the data of nearly 90,000 patients.
Comparitech sought to assess just how vulnerable this exposed data is to attack and created a honeypot, or a simulation of a database on an Elasticsearch instance, a cloud server where data is often stored.
Complete with fake user data, researchers purposely left the data unsecured to determine who would connect to it and the methods used to steal, scrape, or destroy the information.
Researchers left the data exposed from May 11 and May 22. Just eight hours after deployment, the exposed data received 175 unauthorized requests, or what the researchers call attacks. On average, the honeypot was hit with 18 attacks per day, with the first attack occurring eight hours and 35 minutes after it was deployed.
“To find vulnerable databases, many attackers use an IoT search engine like Shodan.io or BinaryEdge,” researchers explained. “Shodan indexed our honeypot on May 16, which means it was then listed in search results.”
“Within just one minute of being indexed by Shodan, two attacks took place,” they continued. “The largest number of attacks in a single day occurred on the same day the database was indexed: 22 attacks in total.”
Notably, more than 36 attacks on the database occurred before it was indexed on these sites, which researchers explained demonstrates hackers are leveraging proactive scanning tools to find vulnerable online data, “rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases.”
A malicious ransomware bot discovered the data on May 29 and then deleted the contents of the database, leaving behind a message with contact information, a request for payment, and a threat that the data will be used, leaked, or sold by the attacker.
While the research had concluded, Comparitech assessed the attack method used by the threat actor.
“The attack started by looking at the list of indexes with the command /_cat / indices?v. After the list of indexes was received, the attacker reviewed the contents of the default index with the command /index/_search?,” researchers explained.
“The attacker then created an index, where he left the document with the ransom note,” they added.
The attack lasted a mere five seconds, leveraging GET methods to obtain index data, DELETE to delete the database, and POST to leave the ransom note.
Researchers also analyzed the attack methods used by the hackers and found the majority of attacks (147) used the GET request method. Twenty-four attacks used the POST method, which researchers said was particularly popular for attacks originating from China.
Further, the attackers also attempted to hijack the servers to mine cryptocurrency, steal passwords, and destroy data. Most commonly, the threat actors targeted the honeypot through a remote code execution exploit on Elasticsearch servers. The goal was to gain access through java functions and download a script miner.
Attackers also attempted to steal credentials from the honeypot, exploiting the same vulnerability used in the cryptominer attack and a path traversal vulnerability. The last attack method attempted to change the server configuration to allow the attacker to delete the data from the server. The threat actor also attempted to turn off the server’s firewall.
“Comparitech’s security research team regularly uncovers unsecured or misconfigured servers that leak sensitive user data on the web,” researchers explained. “Although we do our best to quickly alert whoever is responsible for exposures we find, the data often sits exposed and vulnerable for anywhere from a few hours up to a few weeks while we hunt down the owner and wait for a response.”
“Time is of the essence in these situations,” they added.
