With recent ransomware attacks targeting MySQL databases, as well as the MongoDB and ElasticSearch attacks in January, you need to take precautionary measures.
But first, it’s good to understand exactly what’s going on here so you know what to guard against:
There are two varieties of attack:
1. A WARNING table is added to the existing database, which contains an email address, a bitcoin ransom demand and address. The victim is then instructed to pay the ransom and then visit a darknet site via the Tor browser. Supposedly you then get a link to the dumped database files after you’ve made payment.
2. A PLEASE READ table is added to a new database, and claims the dumped database has been backed up to the attacker’s servers
Obviously there’s no guarantee that the attackers have backed your data up at all, so you could go through the process and still end up with lost data.
We’ve put a quick guide together for you to check if you’re protected, and to avoid common careless mistakes:
Out of the box, Elasticsearch doesn’t have any access control, so you’ll need to deploy their Shield offering. As a minimum you should have Authentication and Network isolation to protect against internet-based attacks.
Check you’re not running on default ports, and that your instance uses authentication, security groups and firewalls. Your DBA will need to actively go in and set these up.
By default, MySQL doesn’t accept authentication from everywhere without a password for the root user. At a minimum you should limit access to the MYSQL service from trusted sources. More often than not, access is created through an administrator’s mistakes, for example 123456 was the most common password in 2016!!
Don’t use publicly accessible IPs without a firewall installed, have robust network isolation set up, and ensure that privileged users have bullet proof passwords.
Restrictions such as connection control to limit login attempts, forced password reset and safe password restrictions also help mitigate the chances of attack.
It does take effort of course, but by following best practice you should be protected.