On May 25, more than two dozen Structured Query Language (SQL) databases were identified that are being sold on an unknown public website. These databases were stolen from online stores in various countries, including Germany, Brazil, the USA, Italy, India, Spain, and Belarus. The threat actor targeted insecure online servers to deploy ransomware and copy the content of the targeted websites. According to reports, the unidentified threat actor is offering 31 compromised databases and provides a sample for the buyers to check the authenticity of the data. Most of the compromised online stores are using SQL databases, such as Shopware, JTL-Shop, PrestaShop, OpenCart, and Magento v1 and v2 e-commerce Content Management System (CMS). Based on reports, the databases contain a total of 1,620,000 rows of exposed records including email addresses, names, hashed passwords (e.g bcrypt and MD5), postal addresses, gender, and dates of birth.
The threat actor requires the victims to pay Bitcoin (BTC) 0.06, or approximately $525 USD, to retrieve the compromised data within 10 days or else the threat actor will sell the data. At the time of writing, it is unclear if the targeted entities have already addressed the issue or what attack was used to gain initial access to the databases.
Nuspire recommends the following mitigation steps to prevent potential SQL injection, Cross-site scripting (XSS), and ransomware attacks:
-Implement Input Validation
-Web Application Firewall (WAF)
-Always use character-escaping functions for user-supplied input provided by each database management system (DBMS) -Sanitize the user input -Enforce the principle of least privilege -Maintain up-to-date antivirus signatures and engines -Keep systems patches up-to-date