Poorly secured PostgreSQL, MySQL servers targeted by ransomware bot

Users exposing poorly secured PostgreSQL and MySQL servers online are in danger of getting their databases wiped by a ransomware bot, Border0 researchers are warning.

The attackers asks for a small sum to return / not publish the data, but those who pay will not get their data back, as the bot takes only a small amount of it before wiping it all.

How the ransomware bot operates

Spurred by a recent tweet in which the poster shared that their accidentally exposted PostgreSQL server was “immediately” compromised and wiped, Border0 researchers wanted to see whether and how quickly a simple PostgreSQL server – accessible from anywhere on the Internet by using the postgres username and the password password – would be targeted by the same bot once they exposed it online.

They did the experiment a few times and the result was always the same: within hours, the bot:

• Accessed the server (from an IP from a Dutch hosting provider)
• Identified and explored the databases
• Took snapshots of each table in the databases (but just the first 10 or 20 rows)
• Deleted all the databases
• Terminated all backend processes (likely to stymie defensive actions by administrators or automated systems)
• Created a new database named readme_to_recover, which contains the ransom note

The ransom note (Source: Border0)

“If you decide not to retrieve the data, we may sell your database in online markets, disclose it to your users and request payment from them, disclose it in online breach forums, or delete it. We will contact the GDPR authorities in your country if applicable,” the attackers threaten in the linked “guide”.

After deleting PostgreSQL databases, the attackers ask for 0.007 BTC (around $330). The ransom is 0.017 BTC (around $730) if the bot wiped MySQL databases. In both cases, paying the ransom won’t result in victims getting their data back.

How effective is this approach for the attackers?

There is no lack of publicly accessible PostgreSQL and MySQL servers out there, easily discoverable via search engines like Shodan, Border0 researchers noted.

“It’s not surprising to see many open database services in the public cloud. If you run your database in say DigitalOcean or even AWS, then these cloud providers don’t always make it easy to access your database from your desktop, or even a workload running in a different region or provider. You may have no other option than to open it from anywhere,” they explained.

“Also, for Docker users, it’s important to know that using docker run -p to publish a container’s port alters your iptables rules for DNAT-based port forwarding. This Docker feature manages external communication for containers, overriding any default deny settings in your iptables INPUT table, thus making the port accessible publicly.”

“Taking a closer look at the Bitcoin address specified in the ransom note reveals the activity. Five separate transactions were made to this address in the last few days, combined, bringing in just over $2,400 USD. Notably, each time funds were transferred to it, they were swiftly moved to another wallet,” the researchers also shared.

According to The Register, this other wallet “has been up and running since August 25, 2021, and routinely receives multiple daily payments in the thousands of dollars, suggesting the possibility that the database bot is being run by an individual or group that engages in other, more lucrative avenues of cybercrime.”

This type of automated attack against poorly secured database servers has been going on for years. In 2020, Intruder researchers demonstrated how unsecured MongoDB databases were getting similarly compromised and wiped, and their owners faced with an almost identical ransom note.

Security researcher Kevin Beaumont says that MariaDB databases are also targeted this time around.