Equifax data breach leave thousands of servers running etcd exposed. Multiple user credentials are now publicly available on the Internet.
Nowadays anyone can make a quick query search through the Shodan search engine and find a total of 2,284 etcd servers which are leaking credentials, passwords and keys required for cms_admin, mysql_root, and postgres server infrastructure.
This cybersecurity problem totals 750mb of leaked data which is available online for free.
For those who don’t know etcd is a type of database that allows storage of data by clustering. The open-source database is able to store the credentials required for different servers and applications.
Until etcd version 2.1, the software was a completely open system, and anyone with access to the API could change keys, but now for cybersecurity reasons this feature is off by default.
Researchers have made a simple script which called the etcd API and requested the download of all keys which were publicly available: GET http://< ip address >:2379/v2/keys/?recursive=true. This scrip revealed a big cybersecurity problem: it was found a total of 2,284 servers on the open Internet, and at least 1,485 of them have keys exposed. This 1,485 servers revealed passwords for databases of all kinds, AWS secret keys, and API keys and secrets for a bunch of services. In total, 8781 passwords, 650 AWS secret keys, 23 secret keys for other services, and eight private keys were available to download.
As you see this kind of cybersecurity flaws can happen all the time, to prevent them, you must install a cybersecurity solution like an antivirus for Windows or antivirus for Mac, depending on which OS their device is running. Besides this, a company must hire a cybersecurity firm that will lunch on purpose various attacks on company’s network to reveal its flaws. The attacks like this are made through specialized cybersecurity tests like penetration test and ethical hacking tests.
It was not tested any of the credentials found because it is against the principles but if we had to guess we would guess that at least a few of them should work and this is the scary part because anyone who has just a few moments to spare could end up with a list of hundreds of database credentials which can be used to steal data or perform ransomware attacks.
Any hacker can use this credentials to change the data in etcd and mess with configuration and even maybe authentication, or it could be used to store exfiltrated data from other attacks.
We also discovered poor security practices such as the use of “1234” as passwords stored through etcd.
To reduce and eventually eliminate all the risk of this kind of cybersecurity problems practice good cyber security habits, update your apps and OSs to latest versions available and implement a robust cybersecurity solution.
We also recommend database administrators not to allow etcd builds to be openly accessible through the web by changing default behaviors to stop strangers from reading and writing to etcd servers.