Remember Memcached servers? Now, we have another case of servers exposed online and fulfilling evil intentions of the hackers. This time, thousands of etcd servers maintained by corporates and organizations are spitting sensitive passwords and encrypted keys, allowing anyone to get access to important data.
Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys.
First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.
etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront.
Collazo said that he didn’t test the credentials, but the scary part is that a few of them should work. A determined person with a few spare minutes can obtain a list of hundreds of database credentials and do whatever he wants, like, stealing data or performing ransomware attacks.
All of the data he harvested from around 1500 servers is around 750MB in size. Another researcher named Troy Mursch independently verified Collazo’s findings. He posted an image which showed how the careless implementation of security was taken to another level. A MySQL database simply required “1234” as the password to gain root access.
It really is as simple as http://<IP address of etcd instance>:2379/v2/keys/?recursive=true
Here's an example MySQL password found: pic.twitter.com/F3cyWj19P8
— Bad Packets (@bad_packets) March 18, 2018
Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures. This would prevent random people from reading and writing on the server.