Presentation Material
Abstract
The attackers are targeting cloud databases used for modern applications to subvert the integrity and confidentiality of the stored data. Databases, including MongoDB, Elasticsearch, etc., are being infected with ransomware and exploited in the wild to conduct data exfiltration and data destruction. This talk will present a threat landscape of ransomware and botnet infections in the databases deployed for modern applications. The talk unveils the techniques and tactics for detecting ransomware and botnet infections in the cloud databases by practically demonstrating the detection of real-world infections using developed tools. The audience can use the tools to conduct an efficient security assessment of cloud databases against severe infections. The talk equips the threat researchers and penetration testers to build threat intelligence that can be consumed at a large scale. The audience will visualize real-time ransomware detection in cloud databases, including interesting insights into how these databases are compromised.
AI Generated Summary
The talk examined the increasing targeting of cloud-based NoSQL databases, particularly MongoDB and Elasticsearch, by ransomware and data destruction campaigns. It argued that the shift toward modern, cloud-native applications using these databases for high-performance, distributed data processing has created a new attack surface where data itself is the primary currency for attackers.
Key findings identified several root causes of infection: exposed administrative interfaces due to misconfigured security groups, weak or default credentials, unpatched vulnerabilities in database software, and lateral movement from compromised cloud assets. Real-world examples demonstrated infection signatures, such as ransom notes inserted into database indices or collections (e.g., “readme” documents) and widespread data corruption from variants like “Meow Bot,” which renders data irrecoverable.
To address detection, the research presented two open-source tools: Philot and Straffer. These tools perform remote, unauthenticated scans of internet-facing MongoDB and Elasticsearch instances. They enumerate databases, collections, and indices to identify known ransomware artifacts—such as specific ransom notes, email identifiers, or patterns of encrypted/corrupted data—providing security teams with actionable intelligence on exposed and compromised assets.
Practical implications emphasize the need for rigorous configuration hardening of cloud databases, including strict network access controls, strong authentication, and regular patching. The tools offer a proactive method for organizations to audit their external attack surface and detect active infections. The research underscores that securing cloud databases requires tailored threat models beyond traditional perimeter defenses, focusing on the specific risks of publicly accessible, high-value data stores.