The Hackers Behind the Gootkit Malware Forgot to Secure Their Database with a Password

Some people have problems getting their heads around how much damage a cybercrime operation can do. ZDNet's Catalin Cimpanu and SecurityDiscovery.com's Bob Diachenko spent some time looking closely into an information-stealing malware by the name of Gootkit, and their findings will hopefully help you get a more accurate understanding of just how big the scale is.

Cimpanu said that when compared to other trojans like Emotet and TrickBot, Gootkit's operation is "nowhere near" as large. Yet, a couple of paragraphs later, he said that the relatively small operation has recently resulted in the theft of at least 15 thousand credit cards. Diachenko had some even more terrifying figures which go to show that even the smaller names in the industry are capable of causing quite a lot of harm. But how did Cimpanu and Diachenko come up with these stats?

Even hackers fail to protect their databases sometimes

Those of you who are actively interested in information security have probably heard the name Bob Diachenko in the past. He is a security researcher who has helped with the discovery of dozens of incidents where gigabytes upon gigabytes of sensitive data was left on misconfigured databases and exposed to the internet. In most cases, Diachenko tries to get in touch with the owners of the leaky servers and help secure the information. Understandably, when he found data stolen by Gootkit's operators, he wasn't in too much of a hurry to inform them of their mistake. Instead, he called Catalin Cimpanu and asked for help with the analysis of the leak.

The trojan was sending all the data it was stealing to a MongoDB database that was easily discoverable with the help of IoT search engines. It's unclear if the exposure happened because of a firewall misconfiguration or because the hackers had forgotten to password-protect their server, but the fact of the matter was that the data was accessible to anyone who knew where to look. As we mentioned already, there was quite a lot of it as well.

Gootkit steals and then leaks extremely sensitive information

Gootkit started its life in 2014 as a humble banking trojan. After infection, it would monitor the victim's browsing behavior and would spring to life when the user tries to access their online banking website. Gradually, however, Gootkit evolved, and the focus shifted from banking credentials to a much wider scope of information.

Right now, it can exfiltrate everything from cookies and browsing histories to emails, OS credentials, and passwords for every account imaginable. Gootkit also takes regular screenshots, and it records every bit of information users enter into online forms which is how it managed to steal all those credit card details.

The researcher says that in addition to the 15 thousand credit cards, the databases also held close to 2.2 million passwords, over 750 thousand usernames, and more than 1.4 million email accounts. Not bad for a small-scale malware operation, but unfortunately, the leaked data didn't end there. According to ZDNet's report, there were also stored credentials for things like Bulgarian government agencies and cryptocurrency exchanges which could lead to the exposure of even more sensitive information.

The hackers were quick to secure the database

The outbreak of poorly configured servers that leak data is now turning into an epidemic. Legitimate organizations leave unprotected databases on a daily basis, and it's clear that cybercriminals aren't immune from doing it, either. When real companies are involved, getting in touch with the people responsible, and helping them patch the leak is often harder than it sounds. By contrast, Gootkit's operators seem to be much more willing to react.

On July 10, just five days after Diachenko first saw the leaky database, the hackers took it down. It's not clear if they acted because they saw that Diachenko and Cimpanu were looking at the data. We also have no idea if anyone else has managed to see the information. What we do know is that before the database got shut, Diachenko managed to share the data with law enforcement. Hopefully, it will help the police get to the Gootkit gang.