View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 18, 2017updated 20 Jan 2017 3:11pm

MongoDB, ElasticSearch hackers now target Hadoop with ransomware

8,000-10,000 HDFS installations worldwide could be exposed to attack.

By Ellie Burns

Following recent cyber attacks on MongoDB and ElasticSearch, hackers are now targeting Internet-facing Hadoop Distributed File System (HDFS) installations.

As with the attacks on MongoDB and ElasticSearch, hackers are holding databases for ransom and, in many reported cases, simply deleting the data. It has now been confirmed by Fidelis Cybersecurity Threat Research that these sort of attacks are happening on HDFS instances, with the company estimating that the potential exposure of this attack is around 8,000-10,000 HDFS installations worldwide.

In one incident, Fidelis observed an attacker erasing most of the directories and creating a single directory called “NODATA4U_SECUREYOURSHIT”.  There was no attempt to claim a ransom or any other communication — the data was simply deleted and the directory name was left as a calling card. Further investigation saw a core issue similar to MongoDB, namely the default configuration can allow “access without authentication.”

READ: MongoDB hackers target ElasticSearch in new wave of ransomware attacks

This means an attacker with basic proficiency in HDFS can start deleting files. On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target.

Fidelis also pointed out that the cyber crooks could originate from China, though the company was quick to point out that attackers use infrastructure all over the world to hide their identities. Evidence of this being the work of a hack originating in China was evident from a spike in traffic seen when the attack occurred. Port statistics from the SANS Internet Storm Center and the Qihoo 360’s Netlab shows that the spike is almost exclusively from a single Chinese IP of 125.64.94.201

Fidelis stated that any database service directly exposed to the internet without adequate authentication is at risk. The security company advised service providers to “implement strong authentication and access isolation. Users of such services should assess these protective measures before entrusting their data to these services. Always back up data using a robust monitoring program to detect and respond to instances in the event unauthorized access occurs.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU