Hackers Actively Compromising Databases Using Legitimate Commands
A sophisticated new breed of ransomware attacks is leveraging legitimate database commands to compromise organizations worldwide, bypassing traditional security measures through “malware-less” operations. This malicious activity has been observed across multiple database platforms, including MySQL, PostgreSQL, MongoDB, Hadoop, CouchDB, and Elasticsearch. Attackers connect remotely to these servers, copy data to external locations, execute destructive commands to wipe databases, and leave ransom notes stored directly within the compromised database structures. The damage is accomplished entirely through legitimate database commands, making it difficult for conventional endpoint security solutions to identify the compromise. The destructive phase utilizes legitimate SQL commands for complete database removal or bulk operations to systematically erase data. In relational databases like PostgreSQL, attackers create new tables with names such as “ransom” and insert ransom notes as table rows.