Israeli cyber experts uncover massive attack on 85,000 MySQL servers

At least 250,000 databases have been compromised by anonymous group of hackers who remain at large

Ophir Harpaz (L) and Omri Marom, security researchers at Guardicore. (photo credit: Courtesy)
Ophir Harpaz (L) and Omri Marom, security researchers at Guardicore.
(photo credit: Courtesy)
At least 85,000 MySQL servers around the world have been breached in a massive ransomware campaign, Israeli cybersecurity experts have warned.
MySQL is an open-source database management system used by companies in a variety of sectors. The attack, called PLEASE_READ_ME, has so far resulted in at least 250,000 stolen databases being compromised and posted for sale on the dark web.
Ophir Harpaz and Omri Marom are security researchers at the Israel-based company Guardicore Labs, which specializes in cybersecurity threats and which discovered the hacker network.
Harpaz told The Media Line that she believes this is the largest ransomware campaign of its kind ever uncovered.
“This is a really vast target,” she said. “There are almost 5 million of [these MySQL servers] in the world so this is a very attractive target for hackers.
“Once they’re in the database, they steal the data, send it to their own servers and then delete it from the local machines,” Harpaz continued. “The victim has to pay a ransom for the data to be returned.”
The attack campaign first began in January, researchers said, and ramped up significantly in October. Once hackers manage to steal the data, it is posted on a website and sold to the highest bidder unless the victim agrees to pay a ransom of roughly $500. Guardicore researchers have ascertained that the attackers made at least $25,000 early on the campaign; however, they have been unable to track their ongoing earnings, as the transactions are no longer traceable.
Companies and organizations with weak passwords are particularly vulnerable to such attacks. So far, seven terabytes of data have been stolen.
“We cannot attribute the attack to a specific group because they are using an anonymous network to host their infrastructure,” Harpaz noted.  “We do know that the attacks that we’ve seen so far have been coming from machines in Ireland and the UK, but attackers often use compromised machines as intermediate stations from which they can operate so these are probably not their own private laptops but rather compromised servers used as the origin of the attacks.”
Researchers are not entirely certain what kind of information was stolen either and from exactly which organizations, she added. For now, they simply have a list of databases that were breached.
“Assuming that this hacker group targets MySQL servers then it’s a worldwide breach attack,” Harpaz said. “It’s not targeted to a specific geographical location but targets all such servers on the internet.”
As for the hackers themselves, they remain anonymous and at large. Guardicore’s researchers do not believe that they are state actors but a group of common cybercriminals.
“The fact that so many databases can be accessed from the internet is not a desired situation,” Omri Marom, who also works at Guardicore Labs as a security researcher, told The Media Line. “Databases should not be internet exposed and only be accessible from within the organization.”
Unfortunately, since the attack is so large in scope, there is no clear authority to turn to for help, the researchers said. For this reason, at the moment Guardicore is simply communicating with the companies that have been hit.
“We’re still on it, mostly on trying to take down whatever we can and helping organizations that have been breached,” he said.
Harpaz added that there were further difficulties that remain to be resolved.
“We've been contacted by companies with tens of thousands of customers that were hit,” she said, declining to provide specific names.
“Currently, we offer assistance for whoever was breached. We cannot take the leak site down because it’s on an anonymous network so it’s really hard to trace where this website is hosted.”