In cybersecurity, we often hear about best practices, one of the most important of which is never to open services that should be for internal use to public access. These are best practices for a good reason – when you don’t follow them, you might be hacked!
Research we conducted in the past showed how hackers could use Docker and Redis services that were left exposed to their own advantage.
Investigations into the root cause of data breaches will most often point to the same malpractice where services are left publicly accessible, whether by mistake or intentionally for a specific purpose for a limited time.
When it comes to databases, one of the most important rules is never to expose your database to public access. In cloud environments, however, it’s very easy to make this mistake because your cloud provider can allow it to happen with just a few clicks.
Using Shodan we can quickly get an estimation of publicly open databases. Figure 1 shows statistics related to MySQL and Postgres. Under “Top Organizations” you can see cloud providers like Amazon and Alibaba.
One of the most effective ways of learning how hackers operate is to deploy honeypots.
Taking this approach, we created several Relational Database Services (RDS) on AWS and left them open. To lure hackers we inserted Personal Information Identifier (PII) data and payment information.
In Figure 2, you can see that it didn’t take too long for hackers to discover and make the first connection attempt to the database. In addition, the time to the first attack was also very short.