Security researchers have noticed an increase in the number of databases publicly exposed to the Internet, with 308,000 identified in 2021. The growth continued quarter over quarter, peaking in the first months of this year.
In the first quarter of 2022, the amount of exposed databases peaked to 91,200 instances, researchers at threat intelligence and research company Group-IB say in a report shared with BleepingComputer.
Exposing databases on the public face of the internet is in many cases due to misconfiguration. Hackers often hunt for them using search engines indexing systems reachable from the open web to steal the content or for financial extortion.
Group-IB used its Attack Surface Management solution to scan the entire IPv4 space for open ports relevant for accessing a database and to check if the indexes or tables are available.
Tim Bobak, Attack Surface Management Product Lead at Group-IB, told BleepingComputer that the company’s solution is limited to checking if the database is exposed or not and it does not have any capability to collect or analyze the content of a database.
Telemetry data gathered this way does not show if the open databases are vulnerable to security flaws or if an unauthorized party accessed them while exposed on the web.
A growing problem
Most of the exposed instances discovered by Group-IB are on servers based in the U.S. and China servers, while Germany, France, and India also have notable percentages.
When it comes to the database management system used in the exposed instances, most of them are Redis, with almost double the number of the runner-up in Q1 2022, MongoDB. Elastic accounts for a smaller portion that is still in the tens of thousands, while MySQL recorded the fewest instances detected by Group-IB.
These management systems have taken measures to alert admins when they configure instances for public access without a password but the problem persists.
Bob Diachenko, a security researcher with specialization on database security, told Bleeping Computer the following regarding the security measures:
This might be an unpopular opinion, but the more sophisticated measures to protect dbms are introduced by vendors, the more likely there is a chance for misconfiguration and hence an inadvertent exposure of data.
Databases purpose is not only to store the data but also allow immediate and convenient way of sharing this data, its analysis by other team members.
More and more people are involved into database management processes these days, and ultimately they try to ease and speed up the access – so omitting the login process is often the most easiest and obvious way for them.
Unfortunately, it takes admins an average time of 170 days to realize the misconfiguration and fix the exposure problem, which is more than enough for malicious actors to find the instances and siphon their contents.
The fixing time was 113 days in Q3 2021, but it has worsened since, likely due to IT personnel being overwhelmed by the rapid expansions of public-facing assets.
Exposure of the data not only leads to loss of customer trust and business disruption, but also to major fines imposed by data protection offices for failure to secure sensitive client information.
Security measures
Group-IB’s Bobak notes that most issues that plague database security can be easily prevented.
Last year, over 50% of our incident response engagements stemmed from a preventable, perimeter-based security error. A public-facing database, an open port, or a cloud instance running vulnerable software are all critical but ultimately avoidable risks. As the complexity of corporate networks keeps growing, all the companies need to have complete visibility over their attack surface. – Tim Bobak, Group-IB
Database security can be ensured if admins follow specific key steps when setting up instances and after maintenance sessions. These can be summed up in the following:
Ensure that the database isn’t publicly exposed if it doesn’t need to be.
Keep your database management system up to date to reduce exploitable flaws.
Use strong user authentication for accessing the instance.
Deploy strong data encryption protocols for all stored information.
Use database and web app firewalls employing packet filters, packet inspection, and proxies.
Use real-time database monitoring.
Avoid using default network ports that expose instances to malicious scans.
Follow server segmentation practices when possible.
Keep offline backups of your data in encrypted form.