Apache Hadoop Couch Databases

By Mark Perry on June 13, 2017

Hadoop Logo

Apache Hadoop databases have been the latest victims to database attacks.  Companies have found that the information stored on these databases have  been wiped with only a calling card left inside.  These databases hold mostly raw data collected over periods of time and usually do not contain personal information or important financial records.  This attack is similar to MongoDB attacks seen a couple months ago, however the difference in potential impact can be seen in the number of databases that are internet facing. There are about  47,800 servers exposed on the Internet that exposes 25TB of data, this in contrast to a much lower 4,487 Hadoop servers, but these servers contain in excess of 5,000TB or 5.12Petabytes of information.  The assailants are unknown  but are going by the name NODATA4U. If the information contained is wiped with the attacker leaving a single newly created table entitled “NODATA4U_SECUREYOURSH!T.” This seems to be a blatant case of vandalism and destruction.

Recommendations for mitigating these types of attacks are as follows:

Ensure Security is on.

  • Turn Hadoop Safemode on.
  • Turn of service level authentication.

  • Apply network filtering for or let firewall rules block port 50070 to untrusted IPs.
  • Add a free IAM control and network segmentation with an OpenVPN solution.
  • Implement a reverse proxy, such as Knox, to aid in preventing unauthorized access and manage connectivity to Hadoop.

Read more: http://www.itworldcanada.com/article/ransomware-attacks-on-insecure-hadoop-systems-may-be-next-say-security-researchers/389944#ixzz4jGKx1Nmm

Couch DB Logo

CouchDB has also seen quit a few attacks to its servers  from a group calling themselves r3l4x.  This of course a play on the word relax found in CouchDB official slogan. Unlike the Hadoop attacks, these perpetrators are cloning and then wiping the information stored, to hold as ransom. So far less than 1% of the data has been proven to  actually been deleted.  CouchDB has suggested best practices to mitigate these types of attacks:

“To make sure this isn’t a security issue, CouchDB by default also only binds to the local loopback network interface 127.0.0.1 and we recommend creating an admin account before making CouchDB accessible from the public” ..” Do not run CouchDB without an admin account on a public network interface. Make sure to choose a strong password for the admin account.”

Related Posts