Hadoop, CouchDB logos

For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the stolen files, but in some cases, destroying data just for fun.

These incidents come after crooks hijacked and held data ransom from MongoDB databases since the start of the year.

Security experts that have witnessed the first wave of attacks against MongoDB servers predicted that other database servers would be hit as well.

A week after the initial attacks on MongoDB, ElasticSearch clusters were also hit. At the time of writing, over 34,000 MongoDB servers and 4,600 ElasticSearch clusters have been held for ransom.

Attacks hit Hadoop servers, but there's no ransom, just vandalism

Two security researchers, Victor Gevers and Niall Merrigan, have tracked these attacks from the beginning.

Speaking to Bleeping Computer, Gevers said that starting last week, January 12, an unknown attacker going by the name of NODATA4U has been accessing Hadoop data stores, wiping data, and replacing all tables with an entry named "NODATA4U_SECUREYOURSHIT."

Vandalised Hadoop server
Vandalised Hadoop server (Source: Niall Merrigan)

At the time of writing, researchers found 124 Hadoop servers with the above table name. What's strange about these attacks is that the threat actor isn't asking for a ransom demand.

Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet.

"There is a difference with the Hadoop cases," Gevers told Bleeping Computer, "these look like vandalism."

"It's possible to destroy al the data in few seconds. This attacker is moving much slower, like one host per hour," Gevers added.

Only one group seems to be involved in attacks against Hadoop engines. At the time of writing, there are around 5,400 Hadoop instances connected to the Internet, albeit we don't know how many of these allow connections to their web-based administration interfaces.

Security experts from Fidelis Cybersecurity also spotted the NODATA4U attacks on Hadoop servers.

Attackers hit CouchDB servers, demand ransoms

Today, these attacks on Internet-connected databases have spread to a new technology, to Apache CouchDB.

Unlike the Hadoop attacks, these are financially driven. Attackers are operating using the same M.O. as the MongoDB and ElasticSearch attackers, by accessing servers, cloning/wiping the data, and leaving a ransom demand in place.

Ransomed CouchDB database
Ransomed CouchDB database (Source: Victor Gevers)

It is unclear at the moment if the sole group of attackers, going by the name r3l4x, are exporting stolen data or are blatantly deleting it, and asking for a ransom anyway.

According to gathered intelligence, the r3l4x group seems to have hit 443 CouchDB servers.

Prompt response has saved countless of databases

Just like they did for the MongoDB and ElasticSearch attacks, Gevers and Merrigan have put together two Google spreadsheests for tracking the Hadoop and CouchDB attacks.

Furthermore, the two have also contacted local GovCERT teams, who in turn have sent out warnings to server owners worldwide.

Two warnings were issued last week regarding ElasticSearch and Hadoop attacks, and Gevers and Merrigan are working with CERT teams to send out one for CouchDB as well.

Their efforts have paid off. "Many critical Hadoop servers were pulled offline last weekend, and a few on Monday," Gevers told Bleeping Computer.

Since more and more groups are joining the attacks, and targeting more database types, it's getting harder for the two to keep track of all attacks.

That's why three other security researchers have joined their efforts. These are Bob Diachenko from the MacKeeper Security Research Center, Matt Bromiley from 505Forensics, and Dylan Katz from GitPrime.

As a final note, users affected by these attacks can reach out to the researchers for help. It's also worth mentioning that in many of these attacks, the perpetrators don't savea copy of the stolen data in all cases, and many victims paid the ransom without ever recovering their data.