Bar association affected by ransomware - perpetrators demand ransom!
BeA, a bar association website, has fallen victim to a ransomware attack. The vulnerability was a misconfiguration!
Vincent Heinen Abteilungsleiter Offensive Services TL;DR
The public information page of Germany's electronic lawyer mailbox (BeA) was hit by a ransomware attack exploiting a misconfigured MySQL database that required no credentials. Attackers copied and deleted the database contents, leaving a ransom note with a Bitcoin wallet address. The demand was 0.06 Bitcoin, roughly 570 euros at the time - a low amount possibly reflecting that multiple attackers had already accessed the unprotected database. A penetration test would have identified this misconfiguration before any damage occurred.
Table of Contents (2 sections)
The Bar Association's electronic lawyer mailbox (BeA) has apparently fallen victim to a ransomware attack. A misconfigured database now allowed the attackers to demand ransomware, among other things.
Bar association hit by ransomware 2 weeks ago
The news website Golem already reported about 2 weeks ago that the information page of the electronic lawyer mailbox was offline again and again and therefore could not be reached. New information says that this "downtime" of the information page was the result of a cyber attack. The Bar Association's website is not directly from the BeA it is simply an informational site for the public. Still, this attack is not to be taken lightly, as a known misconfiguration caused the damage. The information page was running a MySQL database that was apparently configured to accept all users without requiring a username and password. This misconfiguration ensured that attackers could copy the data and then delete the entire database.
570€ as ransom demand
The database, which was vulnerable due to the misconfiguration, did not contain any data after the attack. The two included tables both contained only one entry by referencing an onion address. This kind of blackmail is no longer a new strategy. If you open this onion address, you will see the attackers' claim. To get back the data of the compromised database, 0.06 Bitcoin should be transferred to a specified wallet. At the current time, 0.06 Bitcoin is worth about €570, making it a fairly small amount for a ransomware demand. And it is precisely such a ransom demand that distinguishes a ransomware attack, in this case against the Bar Association. It is not uncommon for data to be downloaded before encryption. If someone doesn't pay the ransom, the attackers threaten to release the data. This small claim could be related to the fact that the contents of the database have fallen into the hands of several criminals and could therefore be widely distributed. Since the database was completely unprotected, the assumption is obvious that not only a hacker group stole the data. To protect yourself and your stored data, make sure that the database you are using is configured correctly. A misconfiguration like the one in the above example would be noticed very quickly during a penetration test. Thus, you could save yourself a costly cyber attack by proactively discovering and closing your security gaps.
Monthly Threat Report
Chris Wojzechowski bewertet einmal im Monat die aktuelle Bedrohungslage aus Sicht eines Informationssicherheitsexperten. Sein 30-köpfiges Team ist näher an realen Cyberbedrohungen dran als kaum jemand sonst — mit konkreten Handlungsempfehlungen, die Sie am nächsten Morgen umsetzen können.
Bestseller-Autor (Wiley-VCH) · M.Sc. Internet-Sicherheit · Bekannt aus Handelsblatt & WamS
Zuletzt behandelt
1x im Monat · Kein Spam · Jederzeit abbestellbar · Datenschutz
Next Step
Our certified security experts will advise you on the topics covered in this article — free and without obligation.
Free · 30 minutes · No obligation
