Many companies accidentally leave their databases exposed on the web, and data breaches or security incidents occur daily. Unsecured and misconfigured servers often lead to data leaks that can become logistical and legal nightmares for companies, leaving the privacy and security of customers or company assets at risk.
But how long does it take for cyber criminals to spot and target unsecure databases? According to a recent study by Comparitech’s research team, bad actors locate and target exposed databases within 8 hours of them becoming public on the Internet.
During their test, Comparitech set up a honeypot on an Elasticsearch server, storing fake and unsecure user data. The database, which remained publicly exposed between May 11 and May 22 was targeted just 8 hours and 35 minutes after its deployment on the web. By May 16, just one minute after the Shodan IoT search engine indexed the database, two attacks were noticed.
The research team observed as many as 175 attacks targeting the bogus database.
“The largest number of attacks in a single day occurred on the same day the database was indexed: 22 attacks in total,” researchers said. “It’s worth nothing that over three dozen attacks occurred before the database was even indexed by search engines, demonstrating how many attackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases.”
A malicious bot also spotted the honeypot. On May 29, a ransomware bot deleted the contents of the database, leaving a ransom note behind.
“If you want recover your data send 0.06 BTC to [redacted] and you must send email to [redacted] with your IP,” read the blackmail note. “If you need a proof about your data just send email. If you don’t do a payment all your data may be used for our purposes and/or will be leaked/sold.”
While the majority of attack methods aimed to gather information regarding the status and settings of the database, some bad actors were interested in hijacking the server to mine cryptocurrency, steal passwords and destroy the data.
The bulk of requests deployed to gather intelligence on the database include various attack methods:
- 147 attacks used the GET request method
- 24 attacks used the POST method, which was particularly popular for attacks originating in China
- 1 attack used the PUT method with the intent to change the server configuration
- 1 attack used the OPTIONS method to get information about the connection
- 1 attack used the HEAD method to get the headers of requests without receiving the responses