Most organizations use databases to store sensitive information. This includes passwords, usernames, document scans, health records, bank account and credit card details, as well as other essential data, all easily searchable and conveniently stored in one place.
Unsurprisingly, this makes databases a prime target for malicious actors who are eager to exploit unprotected systems and get their hands on profitable information. In fact, attackers often don’t even need to hack them to steal all that precious data: one of the most common causes of a breach are databases that have been simply left unsecured, allowing anyone to access the data without providing a username or password.
Such lapses in database security can (and often do) lead to hundreds of millions of people having their personal information exposed on the internet, allowing threat actors to use that data for a variety of malicious purposes, including phishing and other types of social engineering attacks, as well as identity theft.
While there’s been a noticeable decline in data leaks from open databases in the last year, many database managers are still struggling to keep their data protected from unauthorized access.
But just how many unsecured databases are still out there? That’s what we at CyberNews wanted to find out.
What we discovered was eye-opening: tens of thousands of database servers are still left out in the open for anyone to access, with more than 29,000 instances of unprotected databases leaving nearly 19 petabytes of data exposed to theft, tampering, deletion, and worse.
The fact that thousands of open databases are exposing data is not new. Indeed, cybercriminals are so well-aware of this that it can take mere hours for an unprotected database to be detected and attacked by threat actors.
One would suppose that after years of massive leaks, ransom demands, and even devastating data wipeouts by feline hackers (meow) making the headlines, database owners would now be aware of the problem enough to, at the very least, ask for a username and password before letting anyone in.
Unfortunately, as our investigation shows, this does not seem to be the case.
To conduct this investigation, we used a specialized search engine to scan for open databases of three of the most popular database types: Hadoop, MongoDB, and Elasticsearch.
While performing the search, we made sure that the open databases we found required no authentication whatsoever and were open for anyone to access, as opposed to those that had default credentials enabled. We excluded the latter because it would require us to log in to those databases without authorization, which would be unethical. As a result, the actual number of unprotected databases and the amount of exposed data is likely even higher than what we were able to find.
With the initial search completed, we then ran a custom script to measure the size of each unprotected database, without gaining access to the data stored within.
Here’s what we found.
Our findings show that at least 29,219 unprotected Elasticsearch, Hadoop, and MongoDB databases are left out in the open.
Hadoop clusters dwarf the competition in terms of exposed data with nearly 19 petabytes easily accessible to threat actors who can potentially endanger millions, if not billions of users with a click of a button.
When it comes to the number of exposed databases, Elasticsearch leads the pack with 19,814 instances without any kind of authentication in place, putting more than 14 terabytes of data at risk of being stolen or taken hostage by ransomware gangs.
MongoDB seems to fare much better than others terabyte-wise, but the 8,946 unprotected instances show that there’s still a long way to go in terms of basic database security for thousands of organizations and individuals who use MongoDB to store and manage their data.
As we can see, China tops the list with 12,943 exposed instances overall, beating the other countries in each category by a large margin.
The United States comes second, with over 4,512 databases left out in the open, while Germany, where we found 1,479 unprotected instances, takes the third place.
India and France close the top five, with 1,018 and 746 publicly accessible databases, respectively.
Back in 2020, unknown cybercriminals launched a series of so-called ‘Meow’ attacks that wiped all the data stored on thousands of unsecured databases – without any explanation or even a ransom demand – leaving shocked owners with only an empty folder with files named ‘meow’ as the signature of the attacker.
Interestingly enough, we found that 59 databases hit by the ‘Meow’ attacks a year ago are still unprotected and collectively leaving 12.5GB of data exposed.
According to CyberNews security researcher Mantas Sasnauskas, this only goes to show that raising awareness about exposed and publicly accessible databases is as important as ever.
“Anyone can look for these unprotected clusters by using IoT search engines to effortlessly identify those that don’t have authentication enabled and exploit them by stealing the data, holding them ransom, or, as was the case with the ‘Meow’ attack, simply destroy valuable information for fun, wiping billions of records and crippling both business and personal projects in the process,” says Sasnauskas.
Organizations of all shapes and sizes use databases to store customer and employee records, financial data, and other kinds of sensitive information. Unfortunately, databases are often managed by administrators with no security training, which makes them an easy target for threat actors.
If you’re a database owner, here are a few simple steps you can take to secure your database against unwelcome guests:
For detailed step-by-step instructions on how to secure your particular type of database, see the official security guides for Elasticsearch, MongoDB, and Hadoop databases.
With authentication enabled, make sure your database is protected by a unique and complex password that a potential intruder wouldn’t be able to guess.
Can’t come up with a strong password? Consider using a password manager to generate and securely store strong passwords, or use our free strong password generator to automatically generate one.
About the author: Edvardas Mikalauskas
Original post available here:
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, PLA Unit 61419)