NSA shares advice on how to limit location tracking

The intelligence agency warns of location tracking risks and offers tips for how to reduce the amount of data shared

The United States’ National Security Agency (NSA) has published guidance on how to reduce the variety of risks that stem from having your location tracked when using smartphones, IoT devices, social media and mobile apps. Despite being geared towards military and intelligence personnel, the advice can be useful for anybody who’s looking to limit their location exposure.

“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” according to the intelligence agency.

The guidance notes that a powered-on smartphone exposes your location – regardless of whether or not you’re actively using the device. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area,” said the agency.

On a related note, a smartphone can reveal its location even if both the Global Positioning System (GPS) and cellular service are offline or disabled – relying on Wi-Fi and Bluetooth connections to do the ‘job’. This could provide ample opportunity for adversaries to track their targets using wireless sniffers, even if their potential victims aren’t using any of the wireless connections actively, said the NSA.

The intelligence agency also stressed the need to distinguish between location services, which are services provided by devices to apps, and GPS. “Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure. Disabling location services only limits access to GPS and location data by apps,” according to the agency.

And it’s not just phones…

Similar risks are associated with other devices that send and receive wireless signals, including all sorts of Internet of Things (IoT) devices, fitness trackers, medical equipment, and smart home devices. However, staying safe while using these devices is easier said than done, not least because many of these gadgets don’t provide the option to turn their wireless features off. Indeed, the privacy and security of IoT devices in general leave a lot to be desired.

RELATED READING: Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online

The agency also noted that many mobile apps request users’ permissions for location tracking although it isn’t necessary for them to operate. “Apps, even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location,” said the NSA. ESET Chief Security Evangelist Tony Anscombe recently discussed the issue at length.

How to limit the risks

“While it may not always be possible to completely prevent the exposure of location information, it is possible – through careful configuration and use – to reduce the amount of location data shared,” said the NSA. To this end, the agency shared a bunch of tips on how to reduce the amount of location data shared and so mitigate the risks of being tracked. They include:

disabling location services settings on your device. disabling all the radio transmitters while you’re not using them (Bluetooth and Wi-Fi). using a Virtual Private Network to help conceal your location. giving apps as few permissions as possible. being very cautious about what you share on social media; metadata on pictures, for example, could contain location information.

FBI warns of surge in online shopping scams

In one scheme, shoppers ordering gadgets or gym equipment are in for a rude surprise – they receive disposable face masks instead

The FBI’s Internet Crime Complaint Center (IC3) has recorded a surge in complaints from victims who have been duped by fraudulent online marketplaces that never deliver the purchased items.

According to the FBI, victims are reporting that they came across these fraudulent websites either through ads posted on social media platforms or while looking for specific items using popular web search engines’ shopping pages. The wares offered by the scammy online stores range from gym equipment to small appliances and furniture.

Oddly, regardless of what the victims ordered they received disposable face masks – a sort of twist on COVID-19 related schemes that have been doing the rounds for months now. Once the vendors receive complaints about the ordered items not being delivered, they offered partial reimbursement and the face masks as compensation.

Alternatively, the sellers requested the items to be returned to China; this spells outsize expenses for the victims, leading them to settle for the partial reimbursement and not having to return the items. However, none of the victims were able to get a full refund out of the miscreants.

In an attempt to make their deceptions more plausible, the faux retailers provide valid United States’ based addresses and telephone numbers in their “Contact us” sections. “Many of the websites used content copied from legitimate sites; in addition, the same unassociated addresses and telephone numbers were listed for multiple retailers,” the Bureau said.

The FBI shared several telltale signs of the websites being fake:

the prices were too good to be true, the cybercriminals registered the web addresses within the last six months using private domain registration domain services to prevent their private information from being published, instead of using top-level domains like “.com”, the fraudulent websites instead used “.club” and “.top”, the site was promoted on social media.

To avoid falling for similar ruses, always do your due diligence on the retailer you’re considering purchasing from. Look into the reviews of the vendor, especially on third-party reviewing services. Use the contacts listed on their page to see if the information checks out and does belong to them. And always be vigilant, if an offer seems too good to be true, it usually is. For further advise on protecting yourself from various flavors of online scams you can refer to advice on fraud prevention shared recently by ESET Chief Security Evangelist Tony Anscombe.

How much is your personal data worth on the dark web?

The going prices are lower than you probably think – your credit card details, for example, can sell for a few bucks

It’s no news that the dark web is rife with offers of stolen data that ranges from pilfered credit card information and hijacked payment services accounts to hacked social media accounts. Anyone interested can also hire a ne’er-do-well to launch a distributed denial of service (DDoS) attack, buy malware, or purchase forged documents and commit identity theft.

But have you ever wondered how much your personal information goes for on the dark web? Researchers at Privacy Affairs have sifted through the listings in the internet’s seedy underbelly and created an overview of the average price tags attached to your stolen personal data.

Called Dark Web Price Index 2020, the price breakdown of various kinds of stolen personal information shows that, for example, a cloned American Express card with PIN tops the payment card menu at US$35 a pop, while credit card details generally sell for as little as US$12-20. Meanwhile, stolen online banking credentials to accounts with a minimum balance of US$2,000 can go for US$65 on average.

As for payment processing services, PayPal accounts are by far the most commonly listed items. However, pilfered accounts go for lower prices than actual transfers from compromised accounts. Interestingly, a transfer within the US$1,000-3,000 range goes for an average price of some US$320 while transfers of over US$3,000 go for approximately half the price – US$156.

Offers to hack social media accounts aren’t, in fact, a commonly listed item, according to the report, which attributed this to bolstered security measures by social media platforms, as well as to low demand. Indeed, it’s safe to say that the price of your information on the underground marketplaces is governed by the age-old dictates of supply and demand. Once they are on offer, the prices are in the tens of dollars.

Meanwhile, Gmail accounts command a relatively high price at an average of US$156. This may be because a lot of people use single sign-on options, which would mean a compromised email account could open up a treasure trove of data and access to various other services.

Miscreants are also offering their services for hire. Potential buyers can shop around for DDoS attacks with prices depending on the size and duration of the onslaught, starting at a US$10 and topping out at over US$800. Hackers also offer various forms of malware for sale with prices starting from US$70 and going all the way up to US$6,000 depending on various factors.

While the bulk of the stolen sensitive information comes from large-scale data breaches that have hit countless businesses over the years, there are multiple simple steps you can take to protect yourself. For example, look out for phishing attacks that prey on your login credentials or credit card details. Instead of using easy-to-remember passwords, opt for a strong and unique passphrase for each account. Importantly, use two-factor authentication whenever it is available. Also, never use an unsecured Wi-Fi network to access accounts that are home to your sensitive data. Use data breach notification services to learn if your details have been stolen in a known data breach. Finally, never underestimate the value of a multilayered security solution and make sure it’s up-to-date.

Week in security with Tony Anscombe

New ESET Threat Report is out – Defending against Thunderspy attacks – Thousands of databases wiped in Meow attacks

The ESET research team has released its new quarterly threat report that gives a snapshot of the most prevalent cyber-threats and trends in 2Q 2020, as well as reveals previously unpublished research updates. This week, we also took a deep look at Thunderspy, a set of vulnerabilities in the Thunderbolt interface, and shared comprehensive advice for how to stay defend against attacks exploiting the flaws. In other news, thousands of unprotected internet-facing databases have fallen victim to ‘Meow’ attacks, where attackers destroy data with no explanation. All this – and more – on WeLiveSecurity.com.

Twitter breach: Staff tricked by ‘phone spear phishing’

The attackers exploited the human factor to gain access to Twitter’s internal systems and the accounts of some of the world’s most prominent figures

Twitter – still recovering from the recent brazen breach where miscreants hijacked 130 accounts belonging to prominent figures and used the handles to peddle a bitcoin scam – has now shed some light on the circumstances leading up to the incident.

According to the company’s investigation, the attackers used social engineering to target a handful of its employees via a “phone spear phishing attack”.

In a typical spear phishing attack, a criminal masquerades as a trusted entity and sends a tailored email or instant message to a well-researched target in order to steal their sensitive information, such as login credentials or financial information, or to deliver malware.

In Twitter’s case, the incursion seems to have involved phone calls and happened in multiple phases. “Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” said the social media giant.

We’re sharing an update based on what we know today. We’ll provide a more detailed report on what occurred at a later date given the ongoing law enforcement investigation and after we’ve completed work to further safeguard our service. https://t.co/8mN4NYWZ3O

— Twitter Support (@TwitterSupport) July 31, 2020

The attackers then leveraged these credentials to access the tools they needed for their grand scheme – infiltrating 130 accounts, tweeting from 45, accessing the direct messages (DMs) of 36, and downloading data from seven. The company described the attack as a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities.”

Twitter went on to say that in light of the attack it has revised its security measures and severely limited access to its internal tools and systems, while it investigates the incident further. The company warned that this may lead to a curtailed user experience:

“As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform.”

The social media platform also announced that it is working on improving its methods concerning the prevention and detection of inappropriate access and use of its internal tools. Twitter also vowed to continue to conduct company-wide phishing exercises.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

Shortly after the security breach dating back to July 15th, the hijacked account of Tesla CEO Elon Musk fired off a tweet saying “I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

A spate of similar tweets followed from other hacked accounts, including those of Barack Obama, Joe Biden, Bill Gates and Jeff Bezos, among others. The ploy apparently worked, since one of the cryptocurrency wallets received 12.86 BTC (some US$117,000) over a short span of time.

Shortly after the incident, Motherboard, security journalist Brian Krebs, and the New York Times all published interesting accounts of what led to the breach, complete with testimonies from people allegedly involved in the scheme.

Additional reading

What to do if your Twitter account has been hacked

10 billion records exposed in unsecured databases, study says

The databases contain personal information that could be used for phishing attacks and identity theft schemes

Researchers have found close to 10.5 billion pieces of consumer data that has been left sitting in almost 10,000 unsecured internet-facing databases hosted across 20 countries. The data is said to include email addresses, passwords, and phone numbers.

The study was conducted by NordPass between June 2019 and June 2020 in cooperation with an unnamed white hat hacker, who scanned the web for Elasticsearch and MongoDB libraries in search of misconfigured databases.

It’s worth noting that three countries accounted for most of the exposed records, with France bearing the brunt (5.1 billion detected entries). China followed on 2.6 billion records and the United States came in third with 2.3 billion data points. When it comes to countries with the largest numbers of ill-configured databases, China came first (4,000), followed by the US (3,000) and India (500).

Since the information is stored in unprotected databases, cybercriminals would have to put in little to no effort to gain access to the data. With the records in hand they could wreak all sorts of havoc on their victims.

For example, the pilfered data could be used for social engineering attacks that are ultimately aimed at draining your bank accounts or at breaking into your other accounts. These attacks pay dividends especially if you recycle your passwords across various online services.

The stolen information could also be used to conduct (spear)phishing attacks that could lead to hundreds of thousands of dollars in losses, as one Premier League club almost found out recently. In other scenarios, miscreants could sell the data on the dark web, extort the victims or, as the recent ‘Meow’ attacks have shown, some data could simply be replaced with random garbage. Passwords are the bare minimum the admins should have used to secure the databases.

RELATED READING: Five tips for keeping your database secure

It’s worthwhile to remind ourselves of some account security basics, which include using unique and strong passwords or passphrases, potentially with the help of a password manager. It’s also highly advisable to use two-factor authentication, which adds an extra layer of security in exchange for very little effort. If you ever suspect that something is amiss with your accounts, you can also check out our handy guide on how to check if your password has been stolen.

Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe

All you need to know about preventing adversaries from exploiting the recently disclosed vulnerabilities in the Thunderbolt interface

In May 2020, Björn Ruytenberg, a computer security researcher at the Eindhoven University of Technology in the Netherlands, announced the discovery of Thunderspy, a series of vulnerabilities in the Thunderbolt technology and interrelated scenarios for changing – including disabling – the security level of the Thunderbolt interface on a computer and allowing an adversary with physical access to it to copy data off of it, even if full disk encryption (FDE) is used and the machine is locked with a password or sleeping in low-power mode.

While Ruytenberg’s research has (quite deservedly) received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim. In this article, we will explore practical methods to defend against it, as well as anti-tamper steps that can help ascertain if a computer has been physically compromised.

Note: Attacks such as those described by Ruytenberg are both highly-targeted and very rare compared to the types of attacks reported by ESET’s telemetry on a daily basis, and can sound like something out of a spy novel. Although this may represent a realistic threat to, say, 0.001% of computer users with over 100 million people trusting our software on a daily basis, that is still over 1,000 potential victims. For those people, following some of the admittedly draconian recommendations in this article can help reduce that risk. Regardless of your risk level, we hope you will find this information to be of use.


Figure 1. Two Thunderbolt 3 ports on a MacBook Pro

Thunderbolt is an interface for allowing high-speed connections between computers and peripherals such as external RAID arrays, cameras, high-resolution displays, multi-gigabit network connections, and expansion docks and cages for external video cards. Originally developed by Intel and Apple, it first appeared in the 2011 release of Apple’s MacBook Pro notebook computers. It was followed by Thunderbolt 2 in 2013, and Thunderbolt 3 in 2016.

Table 1. List of Thunderbolt releases

Generation Released Intel Controller Connector type Speed Thunderbolt 2011 Light Peak Mini DisplayPort 20Gbit/s (two 10Gbit/s bonded lanes) Thunderbolt 2 2013 Falcon Ridge Mini DisplayPort 20Gbit/s Thunderbolt 3 2016 Alpine Ridge USB Type-C 40Gbit/s Thunderbolt 3 2018 Titan Ridge (refresh of Alpine Ridge) USB Type-C 40Gbit/s

The technology that enables these types of high-speed connections between computers and peripherals is Direct Memory Access (DMA). Simply put, DMA allows peripherals to read and write directly to any location in a computer’s memory, bypassing CPU management overhead and delays while the CPU processes other interrupts and I/O requests, greatly speeding up the transfer of data. In this case, DMA is something of a two-edged sword: If the interface channel using DMA is not secured, there is the possibility for memory to be read from or written to in ways that impact the confidentiality, integrity or availability of information stored in it.

Understand that this does not mean that Thunderbolt technology, or utilizing DMA for transfers, is inherently insecure, but rather that the risks involved need to be carefully examined and modeled in order to defend against possible attacks. The use of DMA in PCs dates back to the design of the original IBM PC released in 1981 and may have been present in earlier computer designs as well. PCs have had several DMA interfaces over the years, from expansion cards like ISA, EISA, PCI, PCIe and VLB, floppy diskette and hard disk drive controllers, CardBus and ExpressCard on notebook computers, and so forth. DMA is a robust technique and one that can be implemented with security checks and balances.

If any of this sounds vaguely familiar, you may recall a WeLiveSecurity article from 2011, Where there’s Smoke, there’s FireWire, discussing DMA abuse using FireWire (IEEE-1394) interfaces in both PCs and Macs. And, it should be noted, there are other kinds of attacks on hardware as well, such as 2015’s Thunderstrike, which targeted the EFI ROM in Macs, and 2018’s Meltdown and Spectre speculative execution vulnerabilities in CPUs.

For an introduction to Thunderspy attacks, read the Thunderbolt flaws open millions of PCs to physical hacking on WeLiveSecurity. If you have not read that article, I strongly encourage you to read it before proceeding. With that proviso in mind, let’s look at the threat model for Thunderspy, what are realistic targets for an attacker, and perhaps most importantly, realistic defenses against those.


Ruytenberg provides two proofs of concept (sample code) for Thunderspy that accomplish two different tasks:

Clone the identities of Thunderbolt devices allowed by the computer. Permanently disable Thunderbolt security.

The first cloning attack is like thieves who steal a key to a lock and then copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of “bricking” a chip. In this case, disabling Thunderbolt’s security levels and then write-protecting the changes made so they cannot be undone.

Cloning requires plugging custom Thunderbolt hardware into the target computer and/or disassembling the target computer in order to attach an SPI programmer to the Thunderbolt chip’s SPI flash ROM chip cabled to an SOIC clip adapter. Bricking the chip requires use of the SPI programmer and cable clip adapter, too.

Additional attack scenarios require running software and/or obtaining information about firmware versions on the target computer.

In case it is not clear from the description above, these types of attacks are not done simply, since actual in-person access to the computer is required, along with the tools to disassemble the physical computer, attach the logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. All without the computer owner noticing this has occurred (and, of course, not accidentally damaging the computer in the process).

Because of the time and complexity of this type of

ESET Threat Report Q2 2020

A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

With half a year passed from the outbreak of COVID-19, the world is now trying to come to terms with the new normal. But even with the initial panic settled, and many countries easing up on their lockdown restrictions, cyberattacks exploiting the pandemic showed no sign of slowing down in Q2 2020.

Our specialists saw a continued influx of COVID-19 lures in web and email attacks, with fraudsters trying to make the most out of the crisis. ESET telemetry also showed a spike in phishing emails impersonating one of the world’s leading package delivery services – a tenfold increase compared to Q1 – and targeting online shoppers. The rise in attacks targeting Remote Desktop Protocol (RDP) – the security of which still often remains neglected – continued in Q2, with persistent attempts to establish RDP connections more than doubling since the beginning of the year. 

One of the most rapidly developing areas in Q2 was the ransomware scene, with some operators abandoning the – still quite new – trend of doxing and random data leaking, and moving to auctioning the stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers. 

Ransomware also made an appearance on the Android platform, targeting Canada under the guise of a COVID-19 tracing app. ESET researchers quickly put a halt to this campaign and provided a decryptor for victims. Among many other findings, our researchers uncovered Operation In(ter)ception, which targeted high-profile aerospace and military companies; revealed the modus operandi of the elusive InvisiMole group; and dissected Ramsay, a cyberespionage toolkit targeting airgapped networks. 

Besides offering recaps of these findings, this report also brings exclusive, previously unpublished ESET research updates, with a special focus on APT group operations – see the News From the Lab and APT Group Activity sections! 

Throughout the first half of 2020, ESET has also actively contributed to the MITRE ATT&CK knowledge base in its newly released, revamped version with sub-techniques. The latest ATT&CK update includes four new ESET contributions. 

And finally, after a break, this quarter has seen new conference plans take shape – although with packed venues replaced by virtual streams – and we are excited to invite you to ESET’s talks and workshops at BlackHat USA, BlackHat Asia, VB2020 and others. 

Follow ESET research on Twitter for regular updates on key trends and top threats. 

FBI warns of disruptive DDoS amplification attacks

The Bureau expects cybercriminals to increasingly abuse new threat vectors for large-scale DDoS attacks

The Federal Bureau of Investigation (FBI) has issued an alert warning private sector organizations in the United States about a ramp-up in the use of built-in network protocols for large-scale distributed denial-of-service (DDoS) amplification attacks.

“A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim. Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources,” wrote the FBI. The alert has been posted online, including on the website of the the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).

The FBI highlights recent threat vectors and developments, noting that the first DDoS amplification attacks to abuse the network protocols go back to December 2018, when cybercriminals exploited the multicast and command transmission features of the Constrained Application Protocol (CoAP). Most of the internet-accessible CoAP devices can be found in China and are using peer-to-peer networks.

During the summer of 2019, attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, some of which achieved a magnitude of 350 Gigabits per second. Internet of Things (IoT) devices use WS-DD protocols to automatically detect other devices nearby and since there are 630,000 with this protocol enabled, they can be attractive targets used to amplify DDoS attacks. That same year, researchers also reported a rise in the use of misconfigured IoT devices in amplified DDoS attacks.

In October 2019, miscreants abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD), to conduct DDoS amplification attacks. This protocol is usually employed by large organizations to manage their Apple computers.

Making matters worse, in February 2020 researchers found a vulnerability in the built-in network discovery protocols of Jenkins servers, which could potentially allow attackers to amplify DDoS attack traffic a hundredfold against their victims. There is no record of the flaw being exploited so far, but the FBI highlighted the resulting increase in the attack surface.

“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” said the FBI in its private industry notification.

The Bureau also outlined several steps to defend against the threat:

Set up a network firewall that will block access to all unauthorized IP addresses. Ensure all your connected devices are updated to the newest firmware versions and have the newest security patches applied. Change all the default usernames and passwords on your IoT and other devices and use two-factor authentication. Register with a DDoS mitigation service.

DDoS attacks typically involve flooding a target with traffic that came from a large number of devices that have been corralled into a botnet, effectively bringing the victim’s services offline. These onslaughts are often unleashed as a way to extort money from the targets or even as a cover for other attacks. Whatever the motive, DDoS attacks in any of their flavors are known to cost organizations millions in lost revenue.

Almost 4,000 databases now wiped in ‘Meow’ attacks

The attackers and their motivations remain unknown; however, the incidents yet again highlight the risks of careless data security

Thousands of unsecured internet-facing databases have been on the receiving end of automated ‘Meow’ attacks that involve destroying the data without leaving as much as an explanatory note.

A search on Shodan shows that as the Meow attacks have escalated in recent days, with almost 4,000 databases now wiped. While more than 97% of the attacks hit Elasticsearch and MongoDB instances, systems running Cassandra, CouchDB, Redis, Hadoop, Jenkins, and Apache ZooKeeper have been targeted as well, wrote BleepingComputer.

The onslaughts owe their moniker to the fact that the data is overwritten with random characters that include the word ‘meow’. Both the perpetrators and their reasons for the scorched-earth tactics remain unknown.

Meanwhile, a security researcher wrote on Twitter that the attacks have been carried out using ProtonVPN IP addresses.

The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7

[email protected] (@anthrax0) July 24, 2020

Proton responded by saying, “We are looking into this and will block all usage of ProtonVPN which goes against our terms and conditions.”

One of the first recorded instances of these Meow attacks targeted an Elasticsearch database belonging to a VPN provider. The unsecured database was discovered by security researcher Bob Diachenko and was one of the 7 VPN services that leaked the data of over 20 million users.

Diachenko went on to notify the hosting provider on July 14th, and the database was secured the next day. However, it was exposed the second time on July 20th and then hit with a Meow bot attack that wiped almost all the data stored on the database.

RELATED READING: Five tips for keeping your database secure

The onslaughts have also been observed by researchers from the non-profit GDI Foundation. One of the attacks occurred after a researcher responsibly disclosed an exposed database to its owner. Victor Gevers, the foundation’s chairman, noted that the perpetrator is probably targeting any unsecured database that can be accessed over the internet.

While some researchers debate whether the attackers are trying to ‘educate’ administrators to keep their databases locked down, the fact of the matter remains that administrators should properly secure their assets.

Attacks on misconfigured databases are not a rare occurrence. A mere few weeks ago, we wrote about thousands of unsecured MongoDB databases that were ransacked and held for ransom. However, wiping ill-secured databases without leaving any (ransom) notes whatsoever could be considered unusual.