Insecure provisioning of data in the cloud can lead to exploitable systems and devices being detected and attacked in frenzies.
Dangle a honeypot of seemingly valuable (but fake) data in plain sight of hackers and what do you think they would do?
No fewer than 175 unauthorized requests were made for the period covering May 11, 2020 to May 22, 2020 for an average of 18 attacks per day.
Of course, some of those requests could have been made by security researchers rather than malicious actors. As IP addresses can be changed with a proxy, it cannot be determined for certain where the attacks come from.
Yet, based on the detected IP addresses alone, the largest attacks came from the USA (89), then Romania (38), and finally China (15). In the case of a ransomware bot attack, both the IP address and the time zone showed that it originated from the Netherlands.
Cloud databases are easy targets
The experiment described here was conducted by Comparitech, a pro-consumer website that wanted to learn how quickly attacks are made against vulnerable databases on the web. The research subsequently revealed that hackers would attack an unsecured database 18 times a day to steal or destroy data.
The honeypot was set up by Bob Diachenko of the research team to serve as bait on Elasticsearch, a cloud server where data is usually stored. Elasticsearch is also an analytics engine that identifies vulnerabilities and shares the information for educational purposes.
Once the bait was set, the researchers noted that many attackers used their own scanning tools to search for vulnerable databases. Just as many however, use internet-of-things (IoT) search engines like BinaryEdge or Shodan.io. Finding vulnerable databases and other devices on the web can be easy as there are many engines specifically designed for such a task.
A malware like Kaiji, for instance, automatically searches for exposed operating systems. A timestamp of 9 hours is not uncommon—the first attack in Comparitech’s trap occurred in just 8 hours and 35 minutes after deployment. And Bby the time the first attack is launched, a bad actor or a malicious attacker would do even greater damage before a company can identify or fix the problem. As Paul Bischoff, privacy advocate and VPN expert states in his blog, “time is of the essence in these situations.”
During the attack, different types of damage can be done. An illustrative example was when a ransomware bot deleted content from the fake database on May 29, 2020. The attack lasted five seconds, and in that short time, the attacker obtained data, deleted it, and requested for payment.
There are other types of attacks: credential or password theft, mining cryptocurrency, and changing server configuration. The most common requests were GET (used in 147 attacks) and POST (24 attacks).
What the research taught
Now that we know how fast data can be compromised if left exposed with no authentication methods, what is the best way to protect data against potential bad actors?
Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group, explained: “Every mistake in provisioning your resources can lead to big problems. We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices. I recommend that companies have procedures around provisioning resources and hold to them much like a pilot’s check list in preparation for takeoff.”
This measure then leads to two important things: First, the creation of security policies and procedures. Secondly, a check list that does not leave room for mistakes.
Indeed, preparing well before takeoff and ensuring security measures are in place can stave off disaster not merely in a flight, but in the worldwide web.
