Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Share this article on:

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues.

Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs.

In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and downloaded by anyone that knows where to find them. Comparitech researchers are well practiced at finding unsecured Elasticsearch databases and AWS S3 buckets, but how quickly can malicious actors sniff out an unsecured database? Comparitech decided to find out. It turns out that it does not take long.

To determine the time it takes for unsecured data to be found, Comparitech’s security team conducted an exercise where they created a simulation of an Elasticsearch instance, similar to the many Elasticsearch instances they have found unsecured. They populated it with fake user data and left it exposed without any access controls. The database was exposed from May 11, 2020 to May 22, 2020.

In a recent blog post detailing the exercise, Comparitech security researcher Paul Bischoff explained that the first access request occurred 8 hours and 35 minutes after the database was created. During the 11 days that the database was exposed, there were 175 access requests. Their honeypot averaged 18 requests a day.

Exposed databases are usually located using an IoT search engine such as Shodan. It takes time for the data to be indexed by the search engines, in this case, Shodan indexed the database on May 16, five days after the database was created. Even though the database was not indexed until May 16, by the time it was there had been 3 dozen attempts to access the data. As soon as the database was indexed, the attacks spiked. Two access attempts were made within a minute of the database being indexed, with a further 20 access requests made that same day.

There are several reasons why attempts are made to find unsecured cloud resources. Databases often contain sensitive data, which can be used for identity theft and fraud or sold on underground forums. Databases can be hijacked and ransom demands issued to extort money from the data owners, but not all attacks were concerned with obtaining data. Several attempts were made to hijack the servers and download cryptomining scripts. In one case, an attacker attempted to switch off the firewall and delete the database.

While the test was concluded on May 22, 2020 and the data was mostly deleted, an further attack occurred on May 29. A malicious bot detected the honeypot and deleted the database, leaving a message demanding payment of 0.06 BTC to recover the data. That attack took 5 seconds from start to finish.

The exercise showed that even if databases are only exposed for a short period of time, it is highly likely that they will be found. While many companies say their data was not left unsecured for long when they are notified by Comparitech of an exposed cloud instance, it is probable that data has already been compromised unless data was only exposed for a few hours.

Comparitech pointed out that if the person setting up an Elasticsearch instance fails to put access controls in place, it is reasonable to assume that logging has also not been enabled. When companies report that no evidence was found to suggest data was accessed or exfiltrated, that does not mean data has not been accessed and stolen, only that there is a lack of evidence.   A 2019 report from McAfee suggested 99% of misconfigurations in the cloud go unreported when they are discovered. It is probable that data theft from cloud resources is far more likely than breach reports would lead you to believe.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On