Author: Robert Agar
Answering this question should be a pretty straightforward exercise for MySQL support teams. In some cases, such as when databases are still in the development stage, the answer might be that they are not yet secured. This is an honest answer that the team will address before allowing the database to go live or store any sensitive information. Many DBAs working with production MySQL instances will say that their systems are secure and display confidence that the systems can safely protect enterprise data resources.
The best answer when querying the security of your MySQL servers is that the team is currently doing all they can to protect them. This answer may not instill a high degree of confidence among corporate executives, but it is the best and most truthful response. Securing high-value computing resources, including MySQL servers, should be seen as an extremely fluid situation that can change at a moment’s notice.
Providing security is only one facet of a DBA’s responsibilities. They need to spend a good deal of time and mental energy on other concerns like maintaining performance and accessibility. This is not the case with the entities attempting to subvert the security measures that have been implemented to protect a MySQL environment. Their whole focus can be on identifying and exploiting security vulnerabilities. This puts database teams at a distinct disadvantage.
Anatomy of a Hack
The lengths to which hackers will resort when attempting to compromise MySQL servers is starkly illustrated by an investigation into a ransomware attack. These are not amateurs randomly attempting to gain entry into your systems. They often employ a sophisticated attack that is comprised of multiple phases.
Security researchers set up honeypot systems designed to attract hackers. Here is an example of the type of multi-step attacks that attacked the targets.
- Collecting credentials using a dictionary attack to identify users and passwords;
- Running a reconnaissance script to discover information such as databases that are without a default configuration and DB users with “SELECT” and “INSERT” permissions;
- Using mysqldump to exfiltrate the data and then dropping the database;
- Recreating the database with the same name and inserting a ransomware note;
- Creating a new database called “PLEASE_READ_ME_XMG” to attract attention using the same ransomware note;
- Creating a DB user backdoor so access could be retained even if admins changed login credentials.
Using these steps, the hacker hijacked the database and gained unauthorized access to its information. It’s not a pretty picture.
Uncovering a Massive Attack
Israeli cybersecurity experts warn that at least 85,000 MySQL servers around the world have been breached as the result of a massive ransomware campaign. The PLEASE_READ_ME ransomware attacks have resulted in over 250,000 databases being compromised and their information posted for sale on the dark web.
The attacks began in January 2020 and have increased in number since October. Once the criminals access the databases, they steal the data, send it to their servers, and delete it from the original machines. Companies are expected to pay a ransom if they want their data returned.
Attacks are initiated from anonymous networks, making it impossible to identify the culprits. They often use compromised machines as a platform from which to launch further attacks. It is estimated that over seven terabytes of data have been stolen with the perpetrators focusing on organizations with weak password policies in place.
Protecting Your MySQL Environment
Database teams need to take proactive measures to guard against these kinds of attacks and maintain the constant vigilance necessary to protect MySQL data resources. Best practices that should be observed include:
- Disabling public access to MySQL servers;
- Changing default passwords;
- Implementing strong password and access management policies;
- Searching for risky queries;
- Monitoring for failed login attempts to thwart brute force attacks.
These actions will help protect your MySQL environment. They need to be supplemented by constantly staying apprised of new developments in the hacker community that may present dangers to your systems.
SQL Diagnostic Manager for MySQL is a tool that can help address MySQL security in multiple ways. It provides a centralized web console that can identify and alert on security vulnerabilities. The tool allows teams to control who has access to specific servers and what permissions they hold. Alerts can be generated to ensure that server settings cannot be changed without the knowledge of system administrators.
Problem queries can be monitored, identified, and analyzed. This lets you look for potentially dangerous queries that attempt to deploy malware or create a backdoor to a database. Additionally, SQL Diagnostic Manager for MySQL will help identify performance impacting queries and so you can keep your servers running optimally. Customizable dashboards and charts let you tailor the application to suit your unique environment. It’s a comprehensive MySQL monitoring platform that can help you keep your systems secure.
