Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ransack Campaigns Target Hadoop and CouchDB

Following a series of ransom attacks against MongoDB and Elasticsearch databases in recent weeks, many users of CouchDB and Hadoop are now finding their databases are under attack as well.

Following a series of ransom attacks against MongoDB and Elasticsearch databases in recent weeks, many users of CouchDB and Hadoop are now finding their databases are under attack as well.

With the help of automated tools, attackers have been targeting Internet-acessible databases that haven’t been properly secured and either erasing or stealing data, followed by dropping a note demanding a specific ransom amount in exchange for the stolen data.

Insecure MongoDB installations were targeted first, and over 33,000 databases have already fallen victim to the attacks. However, as more hackers joined the rush, attackers started looking into alternatives, and Elasticsearch databases came into the crosshairs next.

Only several hundred such installations were targeted within the first couple of days, but the number has since grown to over 4,600 as of today, the public spreadsheet security researchers Victor Gevers and Niall Merrigan (who have been keeping an eye on these attacks since the beginning) use to track the campaign shows.

The attacks on MongoDB installations have reportedly slowed down, suggesting that hackers are focusing on Elasticsearch databases (over 30,000 of them are reportedly exposed) or other targets. With one actor actively attempting to sell the ransomware kit for MongoDB and Elasticsearch, it remains to be seen whether more attackers will start targeting these databases as well.

For now, however, it’s certain that Internet-facing CouchDB and Hadoop Distributed File System (HDFS) installations are potential victims to these attacks. The key change, however, is that hackers might no longer steal the data to hold it for ransom, but simply erase everything in an attempt to do harm.

While the number of CouchDB databases that have fallen to the ransom attack is still low, there are around 4,000 exposed instances, and their fate could turn for the worse if admins don’t secure them in a timely manner.

The public spreadsheet tracking attacks on Hadoop servers shows that 126 of them have been already vandalized and that there are three attackers actively pursuing them at the moment. There are between 8,000 and 10,000 HDFS installations out there, which means that attackers have quite the attack surface to enjoy.

Advertisement. Scroll to continue reading.

Fidelis Cybersecurity Threat Research says that the attacks on HDFS installations (which started ramping up last week) are possible because admins use minimal security and made installations accessible from the Internet, and because denial of service (DoS) attacks have been trending up over the past years, especially in the enterprise segment.

Because HDFS installations using default configurations allow access without authentication, any attacker with basic proficiency in Hadoop can start deleting files. “On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target,” Fidelis says.

To stay protected, admins need to follow some simple rules that apply to all databases, be them MongoDB, Elasticsearch, CouchDB, or HDFS: avoid exposing them to the Internet unless that is absolutely necessary, and use strong authentication settings (leaving default settings could mean that no authentication is required). Regularly backing up data helps restoration efforts after being hit.

With tens of thousands of databases already hit worldwide, it’s clear that admins need to take stance and up their security. Gevers and Merrigan have already made steps in preventing attacks, such as contacting local GovCERT teams to warn server owners that they are exposed. This reportedly resulted in critical Hadoop servers being pulled off the Internet.

The two security researchers have been hard at work over the past couple of weeks helping victims, and others have already joined their efforts, including Bob Diachenko, Matt Bromiley, and Dylan Katz.

Related: Elasticsearch Servers Latest Target of Ransom Attacks

Related: 33,000 Databases Fall in MongoDB Massacre

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.