NFL Players, Agents Targeted in Database Extortion Attempt

A misconfigured database containing records belonging to 1,133 National Football League players and their agents was exposed via an unsecured Elasticsearch server. The database belongs to the NFL Players Association and includes the home address, phone numbers and IP addresses for hundreds of current and former players.
Kromtech Security Center, which made the discovery on Sept. 26, said the database had been breached by an adversary who left behind a “pleasereadthis” file that demanded 0.1 bitcoin ($440) or the database would be made “public” within 120 hours. The ransom was never paid and the NFL Players Association has since secured the data, according to Kromtech.
Related Posts
A NFL Players Association spokesperson declined to comment.
“Specific indices content (was) also viewable via a browser, so anybody with an Internet connection could have accessed the data (and, as ‘pleasereadthis’ index says, somebody with malicious intent has already seen it),” wrote Bob Diachenko, chief communication officer for Kromtech.
The database incident is just the latest in a long string of misconfigured databases found recently leaking data. Earlier this year security researchers Victor Gevers said 28,000 MongoDB and Elasticsearch installations were hacked in a wave of attacks against unprotected open source data management platforms. In most of the cases, attackers were taking advantage of default installations of Elasticsearch where either no credentials or easy-to-guess credentials allow for simple attacks.
In the case of the NFL Players Association it was a misconfigured Elasticsearch database hosted on a properly configured Amazon S3 server.
“The exposed log records show NFL player information and their agent’s information, such as emails, mobile phone numbers, home address of agents and players and IP addresses which were used to sign-in and access the dashboard,” according to Kromtech.
Among the list of top names in the NFL that had personal identifiable data exposed is former 49ers quarterback Colin Kaepernick. “The seriousness of his data being leaked is that Kapernick has told reporters that he has received multiple death threats since 2016 for protesting during the national anthem,” Diachenko said.
In related research, in May security expert Jordan Wright observed an increase in hackers targeting Elastisearch instances. He noted that attackers were exploiting code against a remote code execution vulnerability discovered earlier this year in Elasticsearch server software. The attackers were using the vulnerability (CVE-2015-1427) to automatically download and run malware on vulnerable Elasticsearch servers.

在设计并开始安全意识教育计划之前,应该先确定安全意识教育项目的目的。
Cyber Security Law 网络安全法宣传视频系列001
The vulnerability was patched in February, but attackers are still finding vulnerable Elastisearch instances. Researchers believe the National Football League’s database is just one of 4,600 unsecure Elasticsearch instances where criminals attempt to extort money in exchange for keeping data safe and private.
In the case of the NFL Players Association, it’s believed the exposed data was a deployment and operations issue and not tied to the security of the platform.
Diachenko said the the key factor to address the database security is via a combination of automatic protection systems and “never ending internal educational initiatives aimed at raising awareness” of the dangers of leaky data and how to protect against it.
Too often  databases that have been attacked simply don’t take advantage of encryption, authentication, access control and user enroll-based rights to data, say experts.
我们需要采取可靠的安全措施,加强安全意识,并运用必要的普通和高科技工具,来提供最有效、完善的方案,以防范‘内部泄密’带来的威胁。

猜您喜欢

用黑客的手段来进行安全管理
网络安全公益短片从电话欠费及涉嫌洗钱开始的骗局
LMS学习管理系统管理员快速操作指南
RNG.Uzi:硬拿五杀会拖比赛 所以选择直接一波
REDDIT PINEZANITA
企业信息安全一分钟快速教程