Varonis Threat Labs found that a publicly exposed Google Cloud SQL for MySQL instance with a weak root password was brute-forced in minutes, then ransomed after attackers stole decoy data and dropped Bitcoin-demanding notes. The same automated campaign did not compromise similarly deployed AWS RDS and Azure MySQL Flexible Server honeypots, highlighting dangerous gaps in MySQL access control and monitoring. #GoogleCloudSQL #AWSRDS #AzureMySQLFlexibleServer #VaronisThreatLabs
Keypoints
- Varonis Threat Labs tested how quickly exposed managed MySQL instances are attacked after deployment.
- A Google Cloud SQL for MySQL honeypot with a weak root password and public IP was attacked within minutes.
- Two separate attackers gained access to the GCP instance, stole decoy tables, and left ransom notes demanding Bitcoin.
- The same experiment on AWS RDS for MySQL and Azure MySQL Flexible Server was not compromised.
- The first attacker performed database reconnaissance, extracted data, dropped tables, and created a ransom table with payment instructions.
- A second attacker later compromised the restored instance using the same brute-force method and replaced the original ransom note with their own.
- The article emphasizes that authentication, access control, and logging are the customer’s responsibility even in managed database services.
MITRE Techniques
- [T1110.001 ] Brute Force: The attackers repeatedly tried passwords until they gained access to the exposed database, with one attacker succeeding after about 576 failed attempts (‘Within eight minutes, brute-force attacks started arriving’ / ‘After roughly 576 failed attempts, the attacker successfully accessed the database’).
- [T1190 ] Exploit Public-Facing Application: The managed MySQL instance was exposed to the internet through a public IP and then targeted by attackers (‘we created a MySQL instance with a public IP address’ / ‘unrestricted public access from any IP address (0.0.0.0/0)’).
- [T1018 ] Remote System Discovery: After logging in, the attacker enumerated databases and tables to map the environment (‘Enumerated all databases (SHOW DATABASES), listed tables (SHOW TABLES) … checked for table existence via INFORMATION_SCHEMA.TABLES’).
- [T1213 ] Data from Information Repositories: The attacker queried tables and extracted records from the database (‘extracted data using SELECT … FROM `Records`’).
- [T1485 ] Data Destruction: The attacker deleted tables after stealing data to prevent recovery (‘deleted tables (DROP TABLE `Records`)’).
- [T1486 ] Data Encrypted for Impact: The attackers extorted the victim by creating ransom notes and demanding Bitcoin for data return/non-disclosure (‘You must pay 0.0094 BTC … In 48 hours, your data will be publicly disclosed and deleted’).
- [T1562.001 ] Impair Defenses: The second attacker locked the ransom table and deleted the previous note to control the victim-facing message (‘locked the RECOVER_YOUR_DATA table … and deleted the original’).
Indicators of Compromise
- [IP addresses ] exposed database access and attacker activity – 0.0.0.0/0, and multiple attacker IP addresses (not listed in the article)
- [Domain ] ransom note contact and infrastructure – onionmail[.]org
- [Email address ] ransom contact provided in the note – rambler+24hse@onionmail[.]org
- [Bitcoin address ] payment destination in the ransom note – bc1qd9r8c0t7x0dw748f8ft5wng2wjf9puh29ay5ku
- [Database/table names ] attacker-created and targeted database objects – RECOVER_YOUR_DATA, RECOVER_YOUR_DATA_info, Records
- [Database code ] victim identifier included in ransom note – 24HSE
- [SQL queries ] reconnaissance and destructive commands observed – SHOW DATABASES, DROP TABLE `Records`, SELECT /*!40001 SQL_NO_CACHE */ … FROM `Records`
Read more: https://www.varonis.com/blog/encrypting-cloud-mysql