7/31/2023 0 Comments Honeypot targetThe histogram is the sum of all login attempts (brute-force) on all listening database ports. The next chart (Figure 05) shows the number of unique IP addresses captured in the research period.įigure 04 – Attacks histogram against all DB’s The histogram below (Figure 04) shows the frequency and intensity of attacks against all sensors, which varies over time. As a result of this effort, we could distinguish a random from a targeted attack and also understand more about the nature of these attacks.įigure 03 – Login attempts per sensor Attack intensity In other words, the goal was to avoid the situation of two similar IP octets, e.g., x.x.x.99 and x.x.x.100 for the one country (which was a bit tricky to achieve). We placed two sensors in each country with a country-range-IP address as far away as possible from the first one in order to eliminate overlap. One of the goals was to determine a country-specific attack rather than a server-specific attack – the idea of doubling the sensors came up. Values hiding under MySQL should be understood as the sum of login attempts together with MariaDB, Percona for MySQL, and other DBMS flavors whose protocol is based on the MySQL standard. For this reason, we have launched another research project to take a closer look at the super high activity of MSSQL attacks that will be released later this month. The disproportion is so large (>93% - Figure 02) that comparing it to the other DBMS’es was sometimes difficult. It quickly became clear that the activity of MSSQL has been much higher than other databases. The ‘database servers’ were listening on their default TCP ports. We selected nine popular database systems: MS SQL Server (MSSQL), MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2 (Unix/Win), Cassandra, and Couchbase. In this article, the data described comes from the period of four months, from the beginning of December 2022. Sensors (honeypot servers) spread in this manner allowed us to detect and analyze attacks that may be specific to a particular region or country, which can be useful for identifying and mitigating unique regional threats. In the beginning of December 2022, we placed sensors (honeypot servers) in key regions of the world with emphasis on Central Europe and the tense situation associated with it: Russia, Ukraine, Poland, UK, China, and the United States. We decided to focus on gaining a global view, therefore we used the Low Interaction Honeypot (LIH) software in other words, we collected login attempts along with data around the login process. By distributing honeypots in such a manner, we can gather a reliable set of information on the methods and techniques used by attackers and their botnets, allowing a comprehensive understanding of the current database threat landscape. To obtain a better perspective of attacks worldwide, Trustwave has implemented a network of honeypots located in multiple countries across the globe. When it comes to databases, a honeypot can be a powerful tool for identifying and analyzing potential threats. We hope this exploration sheds light on the evolving landscape of cyber threats across the globe. These findings, along with their implications, will be detailed in the subsequent sections of this text. At times, these correlations have been highly insightful, providing us with a deeper understanding of the characteristics of the database attacks. Lastly, we will discuss the interesting correlations we have found amongst the attributes collected during this research. These brute-force attacks, where botnets repeatedly try different combinations of usernames and passwords to gain unauthorized access, have shown a higher prevalence in the case of some specific databases. One interesting discovery was that certain databases were subjected to credential brute-force attempts more frequently than others. This network of sensors has helped us identify certain disproportions in the frequency, intensity, and nature of attacks targeting different database types located worldwide. Our team relied on data pulled from honeypot sensors, which have been strategically distributed worldwide, to gain insights into these trends. In the following article, we'll be delving into the general patterns and trends related to database attacks, which have been observed across various regions around the globe. Therefore, the importance of monitoring and uncovering new actors along with their - often unique - attack techniques and methods is crucial. As more and more global businesses and organizations rely on DBMS systems to store tons of sensitive information, the risk of targeted attacks and data breaches continues to increase. In today's digital era, the importance of securing databases cannot be overstated.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |