Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze the danger of misconfiguration of cloud database, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

The researchers opened up an improperly configured database on the Internet to find out who would connect to the database and what they would steal.

Comparitech researchers report that misconfigured databases are attacked hours after they are online. The team is trying to learn more about how attackers target poorly secured cloud databases, which continue to pose a security risk to organizations around the world.

Cloud configuration errors occur when cloud-related systems or assets are not configured correctly, which gives attackers access to company data. In the past few years, some companies have accidentally opened these databases to the Internet, sometimes exposing billions of records. Insecure and misconfigured servers can disclose sensitive user data, which can usually be accessed or modified by unauthorized third parties without authentication or authorization.

Bob Diachenko, a cyber security expert who heads the Comparitech research team, said that as the Elasticsearch attack intensified, they began to pursue it. Their goal is to emphasize the importance of following basic safeguards when creating Elasticsearch instances for the public.

The researchers created a honeypot, or a database simulation, on an Elasticsearch instance. They put fake user data in a honeypot and expose it publicly on the Internet to see who will connect to the honeypot and how they try to steal, steal or destroy it. Diachenko explained that this example holds only 219 records, or a few megabytes of data.

The research team made the data public from May 11, 2020 to May 22, 2020. During that time, the honeypot received 175 unauthorized requests, which the researchers called "attacks." The first occurred on May 12, about eight and a half hours after the honeypot was deployed.

Attacks increased between May 22 and June 5, during which time there were 435 attacks, an average of 29 per day, Diachenko said. The number of honeypot applications has "increased significantly" since May 27, reaching a peak of 68 applications on May 30. On the same day, an attack asked to search for keywords such as "payment", "email", "mobile", "gmail", "password", "wallet" and "access token", he said.

Comparitech's Paul Bischoff explained in a blog post about the study that in order to find vulnerable databases, many attackers use Internet of things search engines like Shodan or BinaryEdge. On May 16th, Shodan indexed the honeypot, meaning it was subsequently listed in the search results. "within a minute of being indexed by Xiao Dan, there were two attacks," Bischoff said.

Before the search engine indexed the database, there were more than 30 attacks, indicating how many attackers used their own scanning tools instead of waiting for the Internet of things search engine to crawl vulnerable databases. Comparitech points out that some of these attacks may have come from other researchers. However, it is difficult to distinguish between malicious and well-intentioned actors.

Attack targets and techniques. To purchase Tencent Cloud ECS or any other products, please receive the Tencent Cloud General Voucher Gift package www.fuwuqidl.com!

Most attacks against honeypots require information about the state and settings of the database. Of these, 147use the GET-request method and 24 use the POST method, which is common in activities originating in China. Another attack seeks data about server connections. An attacker wants to get the header of the request without receiving a response. The researchers found that some activities are designed to hijack the server for more malicious activity.

A popular target is CVE-2015-1427, a remote code execution vulnerability on the Elasticsearch server. The goal is to access the Elasticsearch environment and download the bash script miner to mine cyptocurrency. Another attack targeted passwords stored on the server. A participant attempted to change the server configuration to delete all its data.

The researchers also collected the location of the attacker, although they noticed that IP addresses could use proxies to mask the actual location. Diachenko said that France was the country with the most requests, followed by the United States and China.

He added that the experiment was a "very representative" illustration of the possible dangers of misconfigured and unprotected databases. As the researchers learned, attackers quickly tried to take advantage of this advantage.

"Elasticsearch does not perform authentication or authorization, but leaves it to developers," Diachenko said. "therefore, it is important to protect all Elasticsearch instances, especially those that can be accessed through Internet."

After reading the above, do you have any further understanding of how to analyze the danger of misconfiguration of cloud database? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.