NDSS 2025 – all your (data)base are belong to us: Characterizing Database Ransom(ware) Attacks
嗯,用户让我帮忙总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我需要理解文章的内容。文章是关于数据库勒索软件攻击的研究,作者们分析了23,736份赎金记录和60,427个被黑的数据库服务器。他们还设置了honeypots来观察攻击情况。
接下来,我得找出关键点:攻击的普遍性、增长速度、honeypots被感染的时间、Elasticsearch服务器的弱认证问题、以及他们通过分析赎金记录和区块链数据识别出的攻击者群体。特别是有一个主要的攻击组负责了大部分的感染和经济损失,并且可能与某个国家有关。
现在,我需要把这些信息浓缩到100字以内,同时保持内容准确且连贯。要确保涵盖主要发现:攻击数量、增长情况、 honeypots的结果、 Elasticsearch的问题、以及攻击者的分析结果。
最后,检查一下是否符合用户的要求,没有使用特定的开头,并且控制在字数限制内。
</think>
研究揭示数据库勒索软件攻击日益猖獗,2024年3月新增6千起感染案例,较一年前增长60%。研究者通过分析2.3万份赎金记录及6万被黑服务器,发现Elasticsearch因弱认证问题更易受攻击。利用赎金文本相似性和区块链数据,识别出32个攻击团伙,其中一主导团伙造成76%感染及90%经济损失,并与某国关联。
2026-1-26 20:0:0
Author: securityboulevard.com(查看原文)
阅读量:6
收藏
Session 10B: Ransomware
Authors, Creators & Presenters: Kevin van Liebergen (IMDEA Software Institute), Gibran Gomez (IMDEA Software Institute), Srdjan Matic (IMDEA Software Institute), Juan Caballero (IMDEA Software Institute)
PAPER
all your (data)base are belong to us: Characterizing Database Ransom(ware) Attacks
We present the first systematic study of database ransom(ware) attacks, a class of attacks where attackers scan for database servers, log in by leveraging the lack of authentication or weak credentials, drop the database contents, and demand a ransom to return the deleted data. We examine 23,736 ransom notes collected from 60,427 compromised database servers over three years, and set up database honeypots to obtain a first-hand view of current attacks. Database ransom(ware) attacks are prevalent with 6K newly infected servers in March 2024, a 60% increase over a year earlier. Our honeypots get infected in 14 hours since they are connected to the Internet. Weak authentication issues are two orders of magnitude more frequent on Elasticsearch servers compared to MySQL servers due to slow adoption of the latest Elasticsearch versions. To analyze who is behind database ransom(ware) attacks we implement a clustering approach that first identifies campaigns using the similarity of the ransom notes text. Then, it determines which campaigns are run by the same group by leveraging indicator reuse and information from the Bitcoin blockchain. For each group, it computes properties such as the number of compromised servers, the lifetime, the revenue, and the indicators used. Our approach identifies that the 60,427 database servers are victims of 91 campaigns run by 32 groups. It uncovers a dominant group responsible for 76% of the infected servers and 90% of the financial impact. We find links between the dominant group, a nation-state, and a previous attack on Git repositories.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
