The ransomeware attacks that began around Christmas, first hitting MongoDB and then ElasticSearch clusters, last week again broadened to now include both CouchDB and Hadoop servers.
The attacks on Hadoop add a new twist. The data is wiped with no ransom note being left behind. Instead, all tables are replaced with with the entry: "NODATA4U_SECUREYOURSHIT." According to security expert Victor Gevers, "...these look like vandalism."
Gevers is the person who discovered the first round of attacks against MongoDB and has been tracking them since with the help of Niall Merrigan. As the threat has grown, they've been joined by Bob Diachenko with MacKeeper Security Research Center, Matt Bromiley with 505Forensics, and Dylan Katz with GitPrime. They've been busy compiling lists of hacked databases, as well as working to identify -- and notify -- databases that might be vulnerable.
According to Mike Olson, the chief strategy officer and co-founder of Cloudera, a Hadoop provider, the attacks on Hadoop are not leveraging vulnerabilities in the platform.
"This is a problem that has to do with deployment and operations discipline," he said. "You can encrypt all the data that’s on the platform, you can separate the key management from the system and you can take advantage authentication, access control and user enroll-based rights to the data. The systems that have been attacked have not taken advantage of these features"
However, as was the case with MongoDB instances spun-up on some public clouds, Hadoop seems to be configured by default to be vulnerable.
"A core issue is similar to MongoDB," explained Fidelis Cybersecurity, another group watching the database attacks, "namely the default configuration can allow ‘access without authentication.’ This means an attacker with basic proficiency in (Hadoop) can start deleting files."
The attacks on CouchDB, a NoSQL database similar to MongoDB, follow the exact same pattern as the hacks on MongoDB and ElasticSearch, with data being wiped and replaced with a ransom note. It's not clear whether the CouchDB breaches are being carried out by the same group(s) that hit the other databases, although there are indications that they might involve a new group of players. The ransom demanded is considerably lower -- 0.1 bitcoins (about $92) as opposed to the asking price of 0.2-0.25 bitcoin in the MongoDB/ElasticSearch attacks.
This expansion by the black hats to other databases wasn't unexpected by security experts. The attacks are also expected to continue to expand to other misconfigured and vulnerable databases. This means that administrators deploying any brand or type of database would be well advised to check for potential security issues.
The numbers so far are sobering, and continue to rise. On Friday, at least 126 Hadoop and 452 CouchDB installations had been hacked. This is in addition to 34,000 MongoDB servers and 4,600 ElasticSearch clusters that have had their data wiped and held for ransom.
