Following recent cyber attacks on MongoDB and ElasticSearch, hackers are now targeting Internet-facing Hadoop Distributed File System (HDFS) installations.
As with the attacks on MongoDB and ElasticSearch, hackers are holding databases for ransom and, in many reported cases, simply deleting the data. It has now been confirmed by Fidelis Cybersecurity Threat Research that these sort of attacks are happening on HDFS instances, with the company estimating that the potential exposure of this attack is around 8,000-10,000 HDFS installations worldwide.
In one incident, Fidelis observed an attacker erasing most of the directories and creating a single directory called “NODATA4U_SECUREYOURSHIT”. There was no attempt to claim a ransom or any other communication — the data was simply deleted and the directory name was left as a calling card. Further investigation saw a core issue similar to MongoDB, namely the default configuration can allow “access without authentication.”
This means an attacker with basic proficiency in HDFS can start deleting files. On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target.
Fidelis also pointed out that the cyber crooks could originate from China, though the company was quick to point out that attackers use infrastructure all over the world to hide their identities. Evidence of this being the work of a hack originating in China was evident from a spike in traffic seen when the attack occurred. Port statistics from the SANS Internet Storm Center and the Qihoo 360’s Netlab shows that the spike is almost exclusively from a single Chinese IP of 188.8.131.52
Fidelis stated that any database service directly exposed to the internet without adequate authentication is at risk. The security company advised service providers to “implement strong authentication and access isolation. Users of such services should assess these protective measures before entrusting their data to these services. Always back up data using a robust monitoring program to detect and respond to instances in the event unauthorized access occurs.”