“The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users,” said Ophir Harpaz and Omri Marom, researchers with Guardicore Labs, in a Thursday post. “By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.”
This has been going on for at least a couple of years. I ran into it with redis servers last year. They search for servers with simple/no passwords, lock up the data, and demand BTC to get it back.
You can search for Redis instances that have disabled authentication and have a "crackit" key stored in them which is created by one of those Redis malware bots:
I'll add that the vendors have actually gotten much better! Redis and MongoDB both now have good, secure defaults. And I believe both will throw you a huge warning if you're listening on 0.0.0.0 w/out authentication.
Something I didn't expect were the number of developers that hadn't heard of favicons before. Got quite a few people asking what those icons were. Btw there are security use-cases around them as well nowadays (ex. detecting phishing websites).
No, very often they do add the favicons! That makes it easier to locate websites that are outside of your expected IP space but are pretending to belong to you. For example:
It takes a bit more refining to get a good list of results; the general idea is to find websites that look like the real deal but are located somewhere on the Internet where you didn't expect to find them.
The amount of brute forcing attempts on servers of all and any kinds I run is absolutely nuts. But yes they are often trying only a small number of common accounts/passwords.
I keep meaning to sit down and do a bit of analysis on the source of the connections.
I got the same thing with Postgres. It was on a toy project learning Docker Compose, naively used PORTS instead of EXPOSE on the DB container. Also the CPU of the Postgres process was at 100% so maybe I got some crypto miner too.
You cannot infer anything useful about that site from that.
All of those prior submissions were from user 'dulo'. If you check their history, all 153 submissions of theirs are dead.
This includes submissions from such publications as the Washington Post, USA Today, Popular Science, Fortune, Slate, a whole bunch of newspapers from fairly major cities, and much more. Most of them seem to be reasonable submissions, too.
They were all within about a month or so of each other, starting right after the account was created, and mostly happened in large batches. It seems highly likely they tripped some anti-spam or anti-flooding detector and the user was perma-banned and all their submissions instantly killed.
If I was paid to “promote” a dodgy publication, I would certainly mask my efforts by submitting many respectable links. So, if the only submitter of that site (until this submission) got marked for unsavoury HN activities, it rather strengthens the case against that site.
Coupled with the current top comment[0], I’m inferring quite a bit about that site.
I wonder if they've found some targeted way of cracking mysql passwords. Perhaps some large hosting services use a predictable way to hand out passwords? 85,000 sounds like perhaps a lot of wordpress database instances.
And that they're leaving database servers globally accessible.
I do understand the need for network access but I'd never rely on the authentication frameworks (of any database server) to handle this. Limited network access or a front-end API (itself with limited access). Never expose your data source if you don't have to.
Agreed, it's interesting that there are this many databases exposed directly to the internet. Hasn't anyone heard of defense in depth and proxy servers?
"Once they’re in the database, they steal the data, send it to their own servers and then delete it from the local machines," Harpaz continued. "The victim has to pay a ransom for the data to be returned."
Elsewhere in the article:
"Once hackers manage to steal the data, it is posted on a website and sold to the highest bidder unless the victim agrees to pay a ransom of roughly $500."
I conclude that we're both right :)
They delete "from the local machines" which I interpret to be the victim's server. If the victims had had data backups, as simple as a daily cron task that calls mysqldump, presumably they would be unconcerned about restoring their data. However, they would still worry about their data being sold.
Since there's zero guarantee that the thieves will take down the data for the $500 fee, it seems pointless to pay them. They could come back in a month and say "you owe us another $500". Or just go ahead and sell the data anyway.
The command line flag to mysqld that tells it to start without network protocols enabled. At that point you can only connect from a process local to that server (https://dev.mysql.com/doc/refman/8.0/en/server-system-variab...), so this attack vector is closed. But with poorly secured SSH/Apache/PHP/WordPress on the box it’s still trivial to get pwn’ed...
“The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users,” said Ophir Harpaz and Omri Marom, researchers with Guardicore Labs, in a Thursday post. “By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.”