Thousands of servers operated by businesses and other organizations are publicly distributing credentials that can allow anyone on the Internet to access and read or modify sensitive data stored online.
In a blog post published late last weekResearcher Giovanni Collazo said that a quick query on the Shodan search engine returned almost 2,300 servers that showed the Internet running etc, a type of database used by computer clusters and other types of networks to store and share passwords and configuration programs required by servers and various applications. etcd comes with a programming interface that responds to simple queries that by default returns administrative login credentials without first asking. Passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.
Collazo says he wrote a simple script that runs through the 2,284 etcd servers found in his Shodan search. Using the question GET http://:2379/v2/keys/?recursive=true, the script was designed to return all the credentials stored on the servers in a format that would be easy for hackers to use. Collazo stopped the script after collecting about 750 megabytes of data from nearly 1,500 of the servers. The move includes:
- 8,781 passwords
- 650 Amazon website services access keys
- 23 secret keys
- 8 private keys
“I haven’t tested any of the credentials but if I had to guess I would guess that at least some of them should work and this is the scary part,” Collazo wrote. “Anyone who has a few minutes to check can end up with a list of hundreds of data credentials which can be used to steal data, or carry out ransomware attacks.”
Researcher Troy Mursch told Ars that he independently verified the findings and believes that exposed Internet servers and the like are a serious concern for anyone working. He too Post a picture of a result obtained from your own query sent to an open database. The image shows a password that provides root access to a MySQL database. The exposed etcd server is not the only example of poor security practices. As the image above shows, the MySQL password itself is “1234.”
2,000+ public access etc installations yielding 8,781 passwords. @gcollazo details of what you see here:
It’s very simple as example>:2379/v2/keys/?recursive=true
Here is an example MySQL password we found: pic.twitter.com/F3cyWj19P8
– Bad Packets Report (@bad_packets) March 18, 2018
It is possible that multi-factor authentication and other security measures will prevent many certificates from being used by themselves to gain access to the servers they protect. However, as Collazo said, if even hundreds of certificates are enough to gain access to a powerful control, they will provide a valuable opportunity for data thieves and ransomware scammers.
Mursch and Collazo say that whenever possible, etcd servers should not be exposed to the Internet, and that admins should change their default settings so that servers only pass credentials when users authenticate. themselves Collazo also said that administrators etc. should consider changing the default behavior to require authentication.