Sign up to save your podcasts
Or
Share Pro Tips: Understanding a Leaky Internet with Gregory Boddin
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Pro Tips: Understanding a Leaky Internet with Gregory Boddin
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
Over the past few years, data breaches involving millions of leaked records have become the norm. A common offender we're seeing more of is the presence of poorly secured and misconfigured databases connected to the Internet.
Leaving any database exposed to the Internet is often the result of simple human error, but the consequences are anything but simple. In the past three months alone, hundreds of unsecured databases left exposed to the Internet were the subject of "meow" attacks that destroyed data without much explanation—leaving only the word "meow" as a calling card. So far, more than 1,000 unsecured databases have been permanently removed.
To shed light on these recent leaks and attacks, Gregory Boddin from Leak "IX" is joining us in this latest installment of ProTips. Leak "IX" is a new engine developed in Belgium that indexes and provides insight into compromised devices, servers and databases. Leak "IX" helps security researchers and threat intelligence companies keep track of all campaigns active in the wild by providing actionable data on cybercrime campaign trends.
Today we'll learn about how to secure databases, how to identify meow attacks, the pros and cons of open search engines, Gregory's favorite open source scanning tools, and we'll even tackle some underappreciated practices such as source code mining and IPv6 scanning.
Pro-Tips
1. Open databases and how to secure them.
2. Identifying meow attacks.
3. Best open source scanning tools.
4. Pros and cons of open search engines.
5. Tackling IPv6.
6. Source code mining.
7. Leak "IX" power tips.
ProTip 1: Open databases and how to secure them
Most of the databases left open at the moment are MongoDB and Elasticsearch servers. They're used for various purposes, ranging from simple log servers to full-on "source of truth" object storage.
This means they can contain logs from users visiting your site, sometimes including what is posted on the forms: name, firstname, location, passwords or credit card numbers.
After logs, you can find full repositories of various objects:
Users.
Payment information.
Metrics about infrastructures, revealing their schema and internal config.
Large aggregates of data used for research, sometimes leading to disastrous consequences (social account scraping, sensible internet recon).
On the MySQL side, many instances turn out to be development instances. Those may include production data, depending on the company policy.
ProTip 2: Identifying meow attacks
When Leak "IX" was first released to the public, it was mostly a tool to help tracking the schema of databases. It turns out you can get many types of information from a database schema without accessing the data itself.
Identifying ransom campaigns were one of them, as those groups usually leave the same message with different mail-BTC addresses in a newly created database or index with a specific name, such as "hello" or "read_me".
What we didn't expect, however, was for all those servers to be completely wiped by what seems to be a non-profit attack.
Focusing on the Elasticsearch side, we started seeing meowed servers in the wild around the 20th of July. 500 servers were touched on the first day and the attack would keep running strong for the next two weeks:
There would be no sign of new infections until the 12th of August, followed by a total of ~600 infections since then.
Those represent a subset of what happened since we cannot guarantee we indexed ALL servers. From our data, however, we found that:
7,340 out of 12,371 Elasticsearch servers have been infected.
3,200 out of 15,664 MongoDB servers have been infected.
809 out of 7,689 Zookeeper servers have been infected.
You can find the full list of infections with daily reports here.
ProTip 3: Best open source scanning tools
**1 SYNACK scans**
If...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
Over the past few years, data breaches involving millions of leaked records have become the norm. A common offender we're seeing more of is the presence of poorly secured and misconfigured databases connected to the Internet.
Leaving any database exposed to the Internet is often the result of simple human error, but the consequences are anything but simple. In the past three months alone, hundreds of unsecured databases left exposed to the Internet were the subject of "meow" attacks that destroyed data without much explanation—leaving only the word "meow" as a calling card. So far, more than 1,000 unsecured databases have been permanently removed.
To shed light on these recent leaks and attacks, Gregory Boddin from Leak "IX" is joining us in this latest installment of ProTips. Leak "IX" is a new engine developed in Belgium that indexes and provides insight into compromised devices, servers and databases. Leak "IX" helps security researchers and threat intelligence companies keep track of all campaigns active in the wild by providing actionable data on cybercrime campaign trends.
Today we'll learn about how to secure databases, how to identify meow attacks, the pros and cons of open search engines, Gregory's favorite open source scanning tools, and we'll even tackle some underappreciated practices such as source code mining and IPv6 scanning.
Pro-Tips
1. Open databases and how to secure them.
2. Identifying meow attacks.
3. Best open source scanning tools.
4. Pros and cons of open search engines.
5. Tackling IPv6.
6. Source code mining.
7. Leak "IX" power tips.
ProTip 1: Open databases and how to secure them
Most of the databases left open at the moment are MongoDB and Elasticsearch servers. They're used for various purposes, ranging from simple log servers to full-on "source of truth" object storage.
This means they can contain logs from users visiting your site, sometimes including what is posted on the forms: name, firstname, location, passwords or credit card numbers.
After logs, you can find full repositories of various objects:
Users.
Payment information.
Metrics about infrastructures, revealing their schema and internal config.
Large aggregates of data used for research, sometimes leading to disastrous consequences (social account scraping, sensible internet recon).
On the MySQL side, many instances turn out to be development instances. Those may include production data, depending on the company policy.
ProTip 2: Identifying meow attacks
When Leak "IX" was first released to the public, it was mostly a tool to help tracking the schema of databases. It turns out you can get many types of information from a database schema without accessing the data itself.
Identifying ransom campaigns were one of them, as those groups usually leave the same message with different mail-BTC addresses in a newly created database or index with a specific name, such as "hello" or "read_me".
What we didn't expect, however, was for all those servers to be completely wiped by what seems to be a non-profit attack.
Focusing on the Elasticsearch side, we started seeing meowed servers in the wild around the 20th of July. 500 servers were touched on the first day and the attack would keep running strong for the next two weeks:
There would be no sign of new infections until the 12th of August, followed by a total of ~600 infections since then.
Those represent a subset of what happened since we cannot guarantee we indexed ALL servers. From our data, however, we found that:
7,340 out of 12,371 Elasticsearch servers have been infected.
3,200 out of 15,664 MongoDB servers have been infected.
809 out of 7,689 Zookeeper servers have been infected.
You can find the full list of infections with daily reports here.
ProTip 3: Best open source scanning tools
**1 SYNACK scans**
If...