MHN Radar: Databases Under Siege

Anomali’s <a href="https://threatstream.github.io/mhn/" target="_blank">Modern Honeypot Network</a> (MHN for short) is a worldwide network of honeypot sensors that collects data on scans, probes and intrusions of various network ports and services. By looking at data collected by MHN we can piece together a picture of the current threat landscape for a variety of services.Recently, security headlines have been ripe with <a href="https://threatpost.com/attacks-on-mongodb-rise-as-hijackings-continue/122887/" target="_blank">reports of ongoing campaigns against exposed database servers</a> on the internet. Many of them ending up fully compromised and having data hijacked by cyber criminals using <a href="https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html" target="_blank">Linux variants of ransomware</a> that encrypt the database. Affected database installations include MongoDB, ElasticSearch, Hadoop, Cassandra, CouchDB as well as other well-known databases.If you are running any of these database technologies, you are urged to immediately review your security posture and ensure systems are not exposed.The primary issue is that these database systems are setup with default configurations and then made accessible on the open internet. This is usually by way of opening ports on a firewall or in some cases directly connecting the system to the internet without sufficient hardening of the OS and applications. (Did we mention some don’t even bother to change the default password?)Once installed, the database usually runs quietly as a backend service and unless configured otherwise will listen on its default TCP port (common ones listed below). If that TCP port is accessible via the open internet it means anyone can run a scan and identify systems running these services, making them potential targets for attacks.<table align="center" class="table table-bordered table-striped" style="width: 300px;"><thead><tr><th scope="col">DB</th><th scope="col">TCP Port</th></tr></thead><tbody><tr><td>MongoDB</td><td>27017</td></tr><tr><td>ElasticSearch</td><td>9200</td></tr><tr><td>Hadoop</td><td>50070</td></tr><tr><td>Cassandra</td><td>9160</td></tr><tr><td>CouchDB</td><td>5984</td></tr></tbody></table>Default TCP Ports for common databasesLooking through data available in MHN, we can see the distribution of connection attempts to backend database services for the past year. As far as TCP port activity goes, MongoDB (TCP port 27107) eclipse’s the others in terms of overall volume with Elasticsearch (TCP port 9200) coming in second place.<img alt="" src="https://cdn.filestackcontent.com/sQPdY69LTiK1AXdx46ra"/>Figure 1 – TCP port activity, 2016 on left and 2017 year to date on right.<h2>Volume of scans for backend database services within MHN</h2>This is where things start to get interesting. Up until late last year there was only a trickle of scans, though MongoDB was already at the forefront signaling what was yet to come.2016 <img alt="" src="https://cdn.filestackcontent.com/XT2Kcqv5QpWs6hoHVyb9"/>2017 <img alt="" src="https://cdn.filestackcontent.com/kNrTuC5XSrG2c6YXHVT8"/>Figure 2 – Database TCP Port activity. The bad guys are REALLY interested in MongoDB!As you can see above, since 2017 started there has seen a significant increase in activity to database services. MongoDB saw more than a 10-fold increase in activity but the other services saw major increases as well. There is no question that exposed databases are actively under attack and it’s ongoing.Geographically, the US has the highest number of exposed systems for all the represented databases (according to data from shodan.io). The majority of the probes against MongoDB came from an IP located in China and hosted on AS4837.<h2>What’s Next?</h2>Attackers will continue to scour the internet for openly accessible databases. Security teams should to be on alert for associated activity and expect scans and probes against any exposed systems, <a href="https://cwe.mitre.org/data/definitions/200.html" target="_blank">information disclosure</a> alone can be enough to trigger an attack. This should serve as a reminder that security is rarely a “set it & forget it” deal. If you set it up, you must harden it or at least make sure it is not accessible to anyone that is not authorized. Poking holes in the firewall so you can manage the DB remotely may be convenient, but it may be very costly as well.<h2>Additional Information</h2>Every environment is different and fully securing your databases may require additional mitigation. You are encouraged to seek help from the security community and or professionals for the particular database technology.Proactively looking for signs of activity related to probes, scans, or authentication attempts may be helpful in determining your risk level or amount of exposure. Having access to up to date Threat Intelligence is vital in battling threats like these as it empowers your security team to know which needles to look for in your haystack.The following short list of vendor recommendations may also help get your started.<ul><li>MongoDB Security checklist <a href="https://docs.mongodb.com/manual/administration/security-checklist/" target="_blank">https://docs.mongodb.com/manual/administration/security-checklist/</a></li><li>ElasticSearch <a href="http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly" target="_blank">http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly</a></li><li>Cassandra <a href="https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureIntro.html" target="_blank">https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureIntro.html</a></li><li>Hadoop <a href="https://hadoop.apache.org/docs/r3.0.0-alpha1/hadoop-project-dist/hadoop-common/SecureMode.html" target="_blank">https://hadoop.apache.org/docs/r3.0.0-alpha1/hadoop-project-dist/hadoop-common/SecureMode.html</a></li><li>CouchDB <a href="https://cwiki.apache.org/confluence/display/COUCHDB/Securing+CouchDB" target="_blank">https://cwiki.apache.org/confluence/display/COUCHDB/Securing+CouchDB</a></li></ul>For more information on MHN as well as how to setup your own honeypot network for collecting statistics on cyber-attacks, check out the <a href="https://www.anomali.com/blog/mhn-modern-honey-network">MHN intro page</a>.