Growing Trend of Attacks Targeting Open-Source SQL Databases

Summary

Guardicore researchers identified an active ransomware campaign, known as PLEASE_READ_ME, targeting MySQL database servers. The campaign began as early as January 2020 and has compromised more than 250,000 databases, with an estimated 83,000 victims to date. The attack is trivial and begins with a brute-force attack on internet-facing MySQL servers. All data is subsequently wiped from the database and a ransom note is left in its place. Additionally, a backdoor, mysqlbackups’@’%’ , is added to the database for persistence. The threat actor then threatens to expose or sell the stolen data unless a second ransom is paid. Two variants have been identified; the second is associated with a sharp increase in attacks starting in October 2020. Attacks are expected to continue as there are more than five million internet-facing MySQL servers.

A similar technique has been used in another on-going campaign, discovered by Unit 42 researchers, targeting PostgreSQL database systems. This campaign, identified as PgMiner, is a botnet operation that uses brute-force attacks to compromise internet-facing PostgreSQL systems in an attempt to install a cryptocurrency miner. PgMiner only affects Linux MIPS, ARM, and x64 platforms at this time. Though these campaigns do not appear to be related at the time of this writing, they both use similar attack chains. Researchers surmise that the immediate focus in both campaigns is to compromise as many victims as possible for financial gain.

Recommendations

The NJCCIC recommends administrators review their database exposure and to restrict direct public access as appropriate. If public access is necessary, enable strong passwords and continuous monitoring mechanisms across all internet-facing SQL databases to mitigate the effects of a brute-force attack. Additional details on MySQL and PostgreSQL campaigns can be found in the Cybers Guards article, and the ZDNet article, respectively.