MySQL databases are under siege from a ransomware attack that appears to be an evolution of the MongoDB ransack assault, researchers said.
As part of the assault, bad guys end up brute force attacking poorly secured MySQL servers, enumerate existing databases and their tables, stealing them, and creating a new table to instruct owners to pay a 0.2 Bitcoin (around $200) ransom, said Ofri Ziv, a researcher at GuardiCore.
Paying, the attackers claim, would provide owners with access to their data, but that’s not entirely true, as some databases end up deleted without ever being stolen.
GuardiCore said there were hundreds of attacks over a 30-hour period window starting at midnight on February 12.
All attacks ended up traced to the same IP (18.104.22.168) and hosted by worldstream.nl, a Netherlands-based web hosting company, which learned of the issue. The researchers believe the attackers were using a compromised mail server that also serves as HTTP(s) and FTP server.
“Every MySQL server facing the Internet is prone to this attack, so ensure your servers are hardened. Make sure your servers require authentication and that strong passwords are being used,” Ziv said in a post. “Minimizing Internet facing services, particularly those containing sensitive information, is also a good practice. Monitoring your Internet accessible machines/services is crucial to being able to rapidly respond to any breach.”
“Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” Ziv said.