February 28, 2017 By Larry Loeb 2 min read

In January, security researchers reported that MongoDB servers had sustained disastrous wave of attacks. Now, analysts from GuardiCore believe they have discovered a similar campaign affecting MySQL databases.

MySQL Database Goes the Way of MongoDB

Though these particular MongoDB databases may have either been badly configured or not configured at all to be public-facing, the January strike was still a new and virulent kind of attack. Eventually, it spread to an estimated 30,000 databases. The ransomware in question demanded 0.2 bitcoin for victims to recover their data.

SecurityWeek reported that the same sort of ransomware spread to attack ElasticSearch clusters, Hadoop and CloudDB databases. Worse, the attackers might simply delete the stolen data rather than return it, even if the ransom is paid. Researchers also found that multiple actors compete within the same database to have the most current ransom note and thus receive payment.

How the Attack Works

A more detailed account of the attack was posted on GuardiCore’s blog. The security firm reported that cybercriminals first search for servers that are secured with weak passwords. Then they try to brute-force these servers to gain a foothold, followed by elevated access. Once in all the way, the actors replace the database contents with their own table, which includes a ransom note.

The threat actors appeared to use many of the same techniques in this campaign as they did in January’s MongoDB attacks. Their multiple overwriting method, in particular, has proven to be extremely destructive. Additionally, GuardiCore said it found no evidence of data dumps or data exfiltration during any of the MySQL attacks they monitored, which means the attackers made no attempt to save prior data.

Looking for Low-Hanging Fruit

Mitigation comes, in this case, from using strong passwords and mandatory authentication for any internet-facing systems. Brute-force is a rather inefficient attack method, and cybercriminals who employ this technique are almost always looking for low-hanging fruit.

Users and organizations can vastly improve their security postures by conducting simple password audits and following basic online security best practices.

More from

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today