Need a better understanding of how damaging ransomware attacks can be? There’s no better case study than what’s happened to MongoDB.
Last week, it came to light that unsecured MongoDB databases were being hit by an attacker demanding a 0.2BTC ransom ($220) to return the data he was holding hostage.
The attacker, who goes by the online handle Harak1r1, has been hitting servers across the globe, said penetration tester Victor Gevers, who noticed the attacks when he reported exposed installations to their owners.
He also warned admins via Twitter about the attacker, who to date appears to have collected 16 deposits of exactly 0.2BTC via a Bitcoin wallet after having accessed unprotected databases, exported the content and replaced the data with the ransom demand.
Gevers, from Netherlands-based GDI Foundation, has been tracking the activity along with Niall Merrigan, a Norway-based developer. They’ve warned that it’s old MongoDB instances deployed via cloud hosting services, mostly on the AWS platform with a default configuration, that are being attacked.
Dark Reading contributing writer Ericka Chickowski noted in her report that these attacks show how the bad guys are diversifying their ransomware tactics. She wrote:
The present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure – they simply take advantage of poorly implemented systems.
The downward spiral
Tuesday, the news kept getting worse for MongoDB users. Merrigan noted a massive surge in attacks on Monday, with the number of compromised servers doubling in a single day. Citing Merrigan’s data, Information Security Media Group (ISMG) managing editor Jeremy Kirk wrote:
Early on Jan. 9, about 12,000 MongoDB servers had been compromised … Later that day, the figure surged to 28,000. The total amount of data held hostage could be as high as 93 terabytes. Affected organizations are shown a warning asking them to pay a ransom in bitcoin, the virtual currency. The attackers typically delete the database and leave a ransom note in its place. Recently seen ransoms have demanded quantities of bitcoins ranging in value from $200 to $1,000.
Kirk noted that according to a spreadsheet Gevers and Merrigan compiled, 20 victims have paid ransoms so far but haven’t gotten their data back.
The amount of potential victims in an attack like this is substantial. MongoDB has gotten extremely popular in recent years because they use a schema that’s a lot more flexible than others. The ranking system of DB-engines.com has it pegged as the fourth-most popular database management system (DBMS) and the most popular NoSQL DBMS.
“MongoDB is the fastest-growing database ecosystem, with over 20 million downloads, thousands of customers, and over 1,000 technology and service partners,” DB-engines.com says on its website.
Security experts say it’s hard to tell at this point how many entities have data that’s being held hostage by Harak1r1As. Victims who have their data backed up can tell the kidnapper to take a hike. There’s limited comfort in that, though. It’s unsettling and damaging whenever a company’s data is compromised.
MongoDB users were warned
John Matherly, founder of Shodan, a search engine for internet-connected devices, wrote a post in 2015 warning of large numbers of Internet-facing MongoDB servers running old and vulnerable software. He wrote:
At least with MySQL, PostgreSQL and much of the relational database software the defaults are fairly secure: listen on the local interface only and provide some form of authorization by default. This isn’t the case with some of the newer NoSQL products that started entering mainstream fairly recently.
The problem for MongoDB users seems to be that on some systems the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Users are supposed to read the manual and set up access control and authentication after installing the software but it seems that plenty of them don’t.
The result is an internet-connected database with no access control or authentication.
The need for awareness
The MongoDB story highlights the need for increased awareness. The lack of understanding when it comes to ransomware was made plain during a recent survey Sophos conducted. The survey asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.
More than 30% admitted their defenses against phishing and ransomware are poor, and that they lack sufficient understanding of how they are targeted and what they can do about it. It’s not that people are completely clueless about the dangers they face. They simply acknowledged that they’re not as educated and experienced as they’d like to be.
More than half of those polled said they give IT advice to family and friends. But 14% of them admitted that they’re unsure about whether they’ve properly backed up the data on someone else’s computer or if they have the ability to recover that data if the computer is ever hacked. Meanwhile, 11% admitted they’re unsure if the computers they look after are truly protected from hackers and viruses.
The bottom line
If you’re a MongoDB user make sure your data is backed up, that your database is patched and up to date and that you’ve read the security section of the MongoDB manual.
For more advice on protecting yourself from ransomware take a look at Your data is being held to ransom. Now what?
As always, the best defence is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:
You might also enjoy our Techknow podcast Dealing with Ransomware:
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
7 comments on “Thousands of MongoDB databases compromised and held to ransom”
dbleaks.com has informed thousands of folks of this issue, less than 1% reply and out of that 1%… its maybe 1 in 100 that actually secure their databases…
Security is the last thing these folks care about. You can tell them, they dont care until its too late.
This is not a new vulnerability and the databases were publicly exposed. Do they also put bags on their heads and dance in traffic?
I’m sure the hackers appreciate Shodan supplying the list to them, maybe as much as the perverts appreciate webcams list from Shodan.
Shodan is not to blame and is a extremely useful tool..
The IT professionals that (mis)configured the DBs and the makers of Mongo are the ones to complain about.
Then you wouldn’t blame an arms dealer that gives ammo to anyone that ask for it. Just because they don’t pull the trigger themselves.
you are really stretching for an analogy…
sorry i am not getting a willy wagging match with you over terrible analogies.
Shodan is a very useful tool for white hats, you can disagree, which is fine but some of us like progress in technology and security.
My personal beef with them is that they scanned our firewall multiple times nearly every day for over a year straight. I had read that it is the main source that is used to collect IPs of webcams on multiple sites. If they vetted people before using there services I wouldn’t have a negative thing to say about them. Maybe if they had a form to ask to be removed from their scans, but they don’t. Calling them was also useless, and they denied flat out that they repeat scan like that themselves and that they have no restrictions on who and how its used. They offered that we could file a formal complaint but we would be required to supply logs to them and made it sound futile. In short, they pissed me off and I see them as very irresponsible with what they offer.