Other issues in this category (18)
Non-invasive data leaks
Monday, September 30, 2019
News posts about data leaks are emerging with alarming frequency, and the magnitude of these leaks is quite stunning.
If we add together the numbers from all the leak reports from January till March 2019, we discover that an astonishing 590 million CVs were leaked from Chinese companies. Most incidents involving the inadvertent leaks were caused by security issues in MongoDB databases and ElasticSearch server software, which were accessible over the Internet without a password.
The cybersecurity company UpGuard reported that Facebook user records were readily accessible to the general public on other sites, including on an Amazon storage server.
Over 540 million user records, including messages, comments, interests and logins, were exposed.
Why so many leaks? Because, while previously, servers were either hacked by enthusiasts just looking for fun or professionals looking to lay their hands on specific local network data, today robots have taken their place.
Here is a typical news post about this subject:
Python Xwo is a bot scanner. It uses default credentials to gain access to various databases, including MySQL, PostgreSQL and MongoDB.
It retrieves a range of IP addresses from its C&C server to target and reports on the results to that same server.
Sometimes attackers steal data, but sometimes they demand a ransom.
In late 2016 and early 2017, attackers mounted a series of attacks on some exposed MongoDB servers. The hackers would simply erase information from the database and demand a ransom to return it (even though, more often than not, they had no copies of the deleted data).
The Cru3lty hack team compromised 22,449 databases in just one week.
That’s 22,000 databases in a week!
How hard can it be for an attacker if a database uses default settings?
Let's check whether the node is accessible over the Internet.
It's easy to do. We'll try to load the site in a browser using port 28017. Enter And voila: Indeed. So far, nothing particularly alarming is going on, but the fact that anyone can access the system information is not a good sign. We continue digging. We try to connect to the database with the mongo client. We enter the following in the console on our laptop: And voila, once again: That's how we connect to a MongoDB shell without entering a password.
Indeed. So far, nothing particularly alarming is going on, but the fact that anyone can access the system information is not a good sign.
We continue digging.
We try to connect to the database with the mongo client. We enter the following in the console on our laptop:
And voila, once again:
That's how we connect to a MongoDB shell without entering a password.
The Anti-virus Times recommends
The fact is, these servers aren't being hacked. Only legitimate software is being used. A simple script probes servers for a response by scanning addresses one after another. And that's it! The idea that so many people can be that careless is quite stunning. And leaks are still few in number…
Never neglect to protect your databases with strong passwords even if your database software is bundled with another solution. And, of course, install updates.