A wave of ransom attacks is targeting MySQL Databases worldwide

A wave of ransom attacks is threatening thousands of MySQL databases that are exposed online, the hackers are brute forcing poorly secured MySQL servers.

Databases exposed online with a poor security continues to be a privileged target of hackers.

Early this year, experts warned of a spike in the number of attacks against MongoDB systems, crooks requested the payment of a ransom in order to return data and help the company to fix the flaw they exploited. The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild.

Similar attacks are now threatening thousands of MySQL databases that are exposed online, the hackers are brute forcing poorly secured MySQL servers.

The attackers enumerate existing databases and their tables, steal their content, and creating a new table that contains the instruction to pay a 0.2 Bitcoin (around $200) ransom.

The attacks targeted SQL databases all around the world.

What happens when victims pay the ransom?

In some cases, crooks provided owners with access to their data, but there is no certainty,  some archives were permanently deleted without dump them first.

Unfortunately, it is quite easy to find MySQL databases online and attempt to guess their passwords with brute force attacks.

The experts at the security firm GuardiCore observed, hundreds of attacks during a 30-hour window starting at midnight on February 12.

The attacks were launched by the same IP address (109.236.88.20), likely a compromised mail server, and were all hosted by worldstream.nl. The researchers notified the attacks to the Netherlands-based web hosting company.

“The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN. We were able to trace all the attacks to 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting company. ” reads the analysis shared by Guardicore. “The attack starts with ‘root’ password brute-forcing. Once logged-in, it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘WARNING’ that includes a contact email address, a bitcoin address and a payment demand.”

The experts observed two versions of the ransom message:

INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email) VALUES(‘1′,’Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!’, ‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘backupservice@mail2tor.com’)

and

INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE! SQL DUMP WILL BE AVAILABLE AFTER PAYMENT! To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html.en’)

The researchers have analyzed the transactions associated to the bitcoin wallets associated with the attacks:

1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9

1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY

and

The experts highlight the importance of security MySQL server exposed online by using strong passwords and forcing mandatory authentication.

Periodically backup of the data and monitor continuously the access to the MySQL databases in order to could prevent serious damage to the administrators.

“Every MySQL server facing the internet is prone to this attack, so ensure your servers are hardened. Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice. Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach.” GuardiCore also notes.

 

[adrotate banner=”13″]

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MySQL Databases, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]