Security News > 2024 > January > What's worse than paying an extortion bot that auto-pwned your database?

What's worse than paying an extortion bot that auto-pwned your database?
2024-01-17 15:00

Publicly exposed PostgreSQL and MySQL databases with weak passwords are being autonomously wiped out by a malicious extortion bot - one that marks who pays up and who is not getting their data back.

Origin unknown, the bot is routinely breaching poorly protected databases within hours of exposure to the internet, according to security researchers at Border0.

In repeat experiments that involved running a PostgreSQL server on a VM, all while using weak credentials, the bot was successfully compromising the dummy databases multiple times a day.

The bot scans the internet for PostgreSQL and MySQL servers before looking inside for databases that can be brute-forced.

Once inside, the number of tables available is determined and a snapshot of the database is taken before all tables and databases are deleted using 'DROP TABLE' and 'DROP DATABASE' commands.

The secondary wallet has been up and running since August 25, 2021, and routinely receives multiple daily payments in the thousands of dollars, suggesting the possibility that the database bot is being run by an individual or group that engages in other, more lucrative avenues of cybercrime.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/17/extortion_bot_is_autopwning_postgresql/