Over past few years we’ve seen an ever-growing tide of data breaches with reports of new breaches coming out almost every day. Having said that, there are still very few published details on how actual data exfiltration happens. This is mainly due to the fact that organizations that have been breached are hesitant to share information other than what they are obligated to share by law.
As a result, while there is quite a lot of information on how endpoints become infected as well as on what the Command and Control (C&C) communication looks like (IP reputation, etc.), there is almost none on what the threat looks like from enterprise data center point of view. There are lots of discussions about the need to share information, and for a good reason. Unfortunately, these discussions have not necessarily translated into actual sharing.
Lack of insight greatly hampers the ability to develop effective security measures. Statistics are always open to interpretation, and because the security industry is left to reply on statistical analysis, security strategies are often left with a gaping hole.
To fill that void, we constantly conduct research to understand the properties of potential threats to data centers. Our latest Hacker Intelligence Initiative report, “Assessing the Threat Landscape of DBaaS” is the latest result of this research initiative.
What does DBaaS has to do with it?
Data centers are no longer confined to the enterprise perimeter. More and more enterprises take their data to the cloud, but forget to adjust their risk management practices when doing so. The recent MongoHQ breach is just one example of this type of oversight.
While we didn’t find malware that directly attacked a database, our research did find and analyze malware with a module able to connect to Microsoft MSSQL. Moreover, the research found that this malware was used to automatically connect to MSSQL cloud service for both C&C and data exfiltration purposes.
As an interesting side note, we also stumbled upon a cool sample after the writing of this report: malware that brought its own MySQL dll library to the infected machine. This fact correlates with our assessments of growing trends in data center security threats.
What’s in the Report?
The report shows how attackers took advantage of hosted database services in order to set up their own C&C and Drop servers. The servers lead us to some interesting insights about the advantages of using “malicious” hosted data-stores, and the risks they present to legitimate users. For example, enterprises need to re-asses the severity of database vulnerabilities in a hosted environment.
Analyzing the attackers data-store also revealed interesting points. For example, the targeting of business platforms. In conclusion, we predicted what we believe are growing trends in the data-store threat landscape.
Where can I learn more?