Insecure Hadoop and CouchDB installations are the latest targets of cybercriminals who are hijacking and deleting data. Last week, security researchers said 28,000 MongoDB and Elasticsearch installations were hacked in a new wave of attacks against unprotected open source data management platforms.
On Friday, security researchers Victor Gevers, who has been both monitoring MongoDB and Hadoop database attacks, said so far 126 Hadoop and 452 CouchDB installations have been hacked. Like with MongoDB and Elasticsearch, attackers are taking advantage of default installations of Hadoop and CouchDB where either no credentials or easy-to-guess credentials allow for simple attacks.
“A core issue is similar to MongoDB, namely the default configuration can allow ‘access without authentication.’ This means an attacker with basic proficiency in (Hadoop Distributed File System) can start deleting files,” wrote Fidelis Threat Research Team, also tracking the database attacks.
Interestingly, unlike MongoDB breaches where an attacker asked victims to pay a ransom to retrieve stolen data, with Hadoop, breached data is simply destroyed. A note, in the form of a crude directory name is left behind.
With CouchDB, Gevers said, attacks are identical to MongoDB and Elasticsearch; where a ransom note is left behind demanding money for data retrieval. As with MongoDB and Elasticsearch, data is most likely destroyed and those who pay the ransom do not retrieve their data back.
Mike Olson, chief strategy officer and co-founder of Cloudera, one of several firms that provides Apache Hadoop-based software, said the problem has nothing to do with security of these platforms. “This is a problem that has to do with deployment and operations discipline.”
Olson said Hadoop has a bevy of security and data protection capabilities. “You can encrypt all the data that’s on the platform, you can separate the key management from the system and you can take advantage authentication, access control and user enroll-based rights to the data. The systems that have been attacked have not taken advantage of these features,” he said.
Cloudera customers are reminded of those safety and security provisions every step of the way during installation, according to Olson.
Gevers said he began tracking attacks on Tuesday that first targeted Hadoop installations and then CouchDB installations. The latest Shodan scan (conducted Friday afternoon) reveals 5,160 unprotected Hadoop installations and 4,530 open CouchDB.
Gervers said it appears that most Hadoop attacks are being performed manually. However, with CouchDB, the attacks have become automated, just as they have with MongoDB and Elasticsearch. He said a hacker with the handle “Kraken0” has added CouchDB to a ransomware kit for sale on the Dark Web that specifically targets open databases such as MongoDB, Elasticsearch and now CouchDB.
“We are going to see more instances of these types of attacks,” Gevers told Threatpost. “Sadly, there some people who want to see the world burn. Destroying insecure databases is turning into a huge problem, primarily because it can be done so easily.”
