Unsecured Databases Are Attacked 18 Times a Day
As many of you know, nowadays, the majority of data leaks happen not because hackers break through the security of organizations, but because the organizations themselves put user information in misconfigured databases and servers. Security researchers discover poorly secured Elasticsearch databases and Amazon S3 storage buckets day in, day out, and they're always in a hurry to inform the responsible organization and fix the problem before the data ends up in the wrong hands.
The frustrating thing about such discoveries is that more often than not, the experts have no way of knowing whether anyone with criminal intent has actually seen the unsecured database and scraped the information inside it. On the one hand, this makes risk assessment more difficult, and on the other, it gives the responsible organization an excuse to undermine the mistake and say that things aren't that bad.
Bob Diachenko, a security expert responsible for the discovery of more than a few leaks, and his colleagues from Comparitech wanted to find out how often cybercriminals attack poorly configured servers and databases. To do that, they set up an Elasticsearch database, filled it with fake data, and deliberately left it exposed without a password. They then started recording all unauthorized access attempts, and they realized just how serious the risk is.
Cybercriminals are constantly looking for exposed databases
Just over eight and a half hours after setting up the honeypot, the researchers registered the first unauthorized access attempt. Over the next ten days, the Elasticsearch database was attacked 175 times, an average of around 18 attacks per day. Most of the activity came from IPs in the US, China, and Romania, though, as the researchers pointed out, criminals often use proxies to cover their tracks, so this data shouldn't be trusted. The experts' report also notes that some of the queries might have come from other security researchers who were looking for data leaks. Even with this in mind, the data definitively shows that the cybercriminals are on an active hunt for misconfigured databases.
This was also proven by the fact that the attackers had their own specialized scanning tools that helped them locate Comparitech's honeypot even before it was indexed by Shodan, the search engine that is normally used to find these databases.
It's not just about the data
If the information in the Elasticsearch database was real, Comparitech would have been in big trouble. The experts pointed out, however, that not all attacks were aimed at stealing people's personal information. One attacker tried to disable the server's firewall, most likely in preparation for another attack. In other cases, Diachenko's team saw hackers exploiting a vulnerability and attempting to steal the passwords stored in the /etc/passwd file. A third group tried to use the exposed server for cryptocurrency mining. On May 29, about a week after the experiment had concluded, an attacker accessed Comparitech's honeypot, erased all the dummy data, and left a ransom note saying that if the owner of the database doesn't pay 0.6 BTC (close to $6,000), the information would be leaked or sold to cybercriminals.
All in all, Comparitech's experiment shows that in addition to giving easy access to a ton of user information, an exposed database can present cybercriminals with a number of other money-making opportunities. It also proves that the crooks won't shy away from taking these opportunities.
