MySQL instances attacked by database blackmailers

By

Copycats delete databases without dumping them.

Internet-facing instances of the popular MySQL information store are being targeted by attackers following similar attacks on insecure databases earlier this year.

MySQL instances attacked by database blackmailers

Security vendor GuardiCore this month spotted hundreds of attacks emanating from a Dutch web hosting company. 

The attack itself relies on brute-forcing or guessing the root password for MySQL instances. If the attacker gets in to the MySQL database, a new table called "WARNING" with contact details for a ransom payment is added. In a variant of the attack, the ransom note table is called "PLEASE_READ".

After the ransom note tables are created, the attacker then deletes all databases found on the compromised server.

The ransom is 0.2 Bitcoin (A$297.50) to restore the data.

It is highly unlikely that the extortionists have copied over the information before deleting it.

"Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration," GuardiCore said.

Despite this victims appear to have been paying the ransom, based on blockchain information for the different Bitcoin wallets used by the attackers. 

Whether or not the victims got their data back after paying the ransom is not clear.

Administrators are encouraged to minimise database exposure to the internet to avoid being hit by blackmailers and losing their data, and also to ensure use of strong passwords.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Top US diplomat impersonated with AI by unknown actor

Top US diplomat impersonated with AI by unknown actor

Log In

  |  Forgot your password?