Breach, Threat Management, Data Security, Network Security

Malicious actor holds at least 31 stolen SQL databases for ransom

A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores' unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don't pay up.

The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers' names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more, according to a report from BleepingComputer.

The series of thefts underscores how e-commerce website operators sometimes can struggle with the very basics of asset management and data stewardship.

"Securing databases and other sensitive assets from inadvertent exposure requires understanding your asset inventory, having enforceable security controls in place, and [employing] continuous monitoring to detect configuration drift and insecurities," said Jack Mannino, CEO at nVisium. "Some databases ship with insecure default configurations, while many organizations also fail to implement basic security controls such as strong authentication and encryption of data at rest and in transit, either because of lack of specialist resources who understand the security features available in such databases or [because] business needs outpacing security. The absence of those controls makes mass exploitation attempts easier."

"Database breaches like these online shop attacks highlight the challenges organizations face in managing more complex access and security controls across an expanding organizational security environment," added Tony Cook, director at the Crypsis Group. "Complexity and lack of security staffing can provide fertile ground for potential misconfigurations to occur, which can ultimately end up enabling unauthorized access. Once an attacker finds the methodology for accessing any of these potential misconfigurations, it's trivial to utilize that same methodology to scan for the weakness across the internet."

Reportedly, the culprit is demanding a payment of 0.06 Bitcoin (roughly $526 today) within 10 days if the e-shops want to recover their customers' files without any further incident. BleepingComputer reports that the hacker has already received 97 transactions worth about 5.8 Bitcoin (roughly $50,860 today).

Over half of the affected online stores are based in Germany, but others are reportedly located in the U.S., Belarus, Brazil, India, Italy and Spain -- all running on various e-commerce platforms. Judging by 200-plus abuse reports linked to the attacker's two known Bitcoin wallets, there may be even more stolen databases. The abuse reports range in date from September 2019 through May 20 of this year.

One year ago, in May 2019, the “Unistellar” hacking group made news after reportedly accessing thousands of unsecured MongoDB databases and replacing their contents with a message instructing owners to contact them via a Unistellar email address, apparently so they could deliver ransom payment instructions.

"In today's pandemic bolstered e-commerce sector... most of the newly deployed web applications are insecure and vulnerable," said Ilia Kolochenko, founder and CEO of ImmuniWeb. "We will likely see a protracted surge of new attacks targeting careless web shops. Most of them are unfortunately poised to be highly successful, and costly for the victims."

To prevent future such incidents and protect confidential data, Cook advises that organizations begin by "first understanding the technologies being used to house the information and then taking steps to threat model how various forms of access could be possible. We recommend organizations perform proactive security reviews of their technologies as well as tabletop exercises that walk them through various incident scenarios. These exercises will help them determine what actions they could take before a breach happens, as well as helping them understanding their current capabilities/gaps."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.