Americans need to understand the Middle East
How much do we really know?

At The Media Line, we value all points of view and aim to mend our differences through fact-based narrative-inclusive journalism Help support our bold and brave team in Afghanistan, Gaza, Israel, Palestinian Territories, the UAE, and beyond.
Help us continue our work and provide access to the news that matters to you.

Thank you and best wishes to you and yours for this Jewish New Year.
 
Felice Friedson
Founder, President
Israeli Cyber Experts Uncover Massive Attack on 85,000 MySQL Servers

Israeli Cyber Experts Uncover Massive Attack on 85,000 MySQL Servers

At least 250,000 databases have been compromised by anonymous group of hackers who remain at large

At least 85,000 MySQL servers around the world have been breached in a massive ransomware campaign, Israeli cybersecurity experts have warned.

MySQL is an open-source database management system used by companies in a variety of sectors. The attack, called PLEASE_READ_ME, has so far resulted in at least 250,000 stolen databases being compromised and posted for sale on the dark web.

This is a really vast target. There are almost 5 million of [these MySQL servers] in the world so this is a very attractive target for hackers

Ophir Harpaz and Omri Marom are security researchers at the Israel-based company Guardicore Labs, which specializes in cybersecurity threats and which discovered the hacker network.

Ophir Harpaz (L) and Omri Marom, security researchers at Guardicore. (Courtesy)

Harpaz told The Media Line that she believes this is the largest ransomware campaign of its kind ever uncovered.

“This is a really vast target,” she said. “There are almost 5 million of [these MySQL servers] in the world so this is a very attractive target for hackers.

“Once they’re in the database, they steal the data, send it to their own servers and then delete it from the local machines,” Harpaz continued. “The victim has to pay a ransom for the data to be returned.”

The attack campaign first began in January, researchers said, and ramped up significantly in October. Once hackers manage to steal the data, it is posted on a website and sold to the highest bidder unless the victim agrees to pay a ransom of roughly $500. Guardicore researchers have ascertained that the attackers made at least $25,000 early on the campaign; however, they have been unable to track their ongoing earnings, as the transactions are no longer traceable.

Companies and organizations with weak passwords are particularly vulnerable to such attacks. So far, seven terabytes of data have been stolen.

“We cannot attribute the attack to a specific group because they are using an anonymous network to host their infrastructure,” Harpaz noted. “We do know that the attacks that we’ve seen so far have been coming from machines in Ireland and the UK, but attackers often use compromised machines as intermediate stations from which they can operate so these are probably not their own private laptops but rather compromised servers used as the origin of the attacks.”

Researchers are not entirely certain what kind of information was stolen either and from exactly which organizations, she added. For now, they simply have a list of databases that were breached.

“Assuming that this hacker group targets MySQL servers then it’s a worldwide breach attack,” Harpaz said. “It’s not targeted to a specific geographical location but targets all such servers on the internet.”

As for the hackers themselves, they remain anonymous and at large. Guardicore’s researchers do not believe that they are state actors but a group of common cybercriminals.

“The fact that so many databases can be accessed from the internet is not a desired situation,” Omri Marom, who also works at Guardicore Labs as a security researcher, told The Media Line. “Databases should not be internet exposed and only be accessible from within the organization.”

Unfortunately, since the attack is so large in scope, there is no clear authority to turn to for help, the researchers said. For this reason, at the moment Guardicore is simply communicating with the companies that have been hit.

“We’re still on it, mostly on trying to take down whatever we can and helping organizations that have been breached,” he said.

Harpaz added that there were further difficulties that remain to be resolved.

“We’ve been contacted by companies with tens of thousands of customers that were hit,” she said, declining to provide specific names.

“Currently, we offer assistance for whoever was breached. We cannot take the leak site down because it’s on an anonymous network so it’s really hard to trace where this website is hosted.”

Did you know we’re celebrating our 20th Anniversary as the 1st American News Agency exclusively covering the Middle East?

  • The Middle East landscape is changing rapidly.
  • The roads in the region open to new possibilities.
  • The Media Line continues to pave the way to a far greater understanding of the region’s land, people, policies and governments through our trusted, fact-based news.

We’re an independent, ad-free, non-profit news agency and rely on friends like you!

Please make your gift today.
Thank you!

We paved the way to be the Trusted Mid East News you can rely on!

We’re an independent, ad-free, non-profit news agency and rely on friends like you!

Invest in the
Trusted Mideast
News source.
We are on the
front lines.

Personalize Your News
Upgrade your experience by choosing the categories that matter most to you.
Click on the icon to add the category to your Personalize news
Browse Categories and Topics
Wake up to the Trusted Mideast News source Mideast Daily News Email
By subscribing, you agree to The Media Line terms of use and privacy policy.
Wake up to the Trusted Mideast News source Mideast Daily News Email
By subscribing, you agree to The Media Line terms of use and privacy policy.