Need a better understanding of how damaging ransomware attacks can be? There’s no better case study than what’s happened to MongoDB.
Last week, it came to light that unsecured MongoDB databases were being hit by an attacker demanding a 0.2BTC ransom ($220) to return the data he was holding hostage.
The attacker, who goes by the online handle Harak1r1, has been hitting servers across the globe, said penetration tester Victor Gevers, who noticed the attacks when he reported exposed installations to their owners.
He also warned admins via Twitter about the attacker, who to date appears to have collected 16 deposits of exactly 0.2BTC via a Bitcoin wallet after having accessed unprotected databases, exported the content and replaced the data with the ransom demand.
Gevers, from Netherlands-based GDI Foundation, has been tracking the activity along with Niall Merrigan, a Norway-based developer. They’ve warned that it’s old MongoDB instances deployed via cloud hosting services, mostly on the AWS platform with a default configuration, that are being attacked.
Dark Reading contributing writer Ericka Chickowski noted in her report that these attacks show how the bad guys are diversifying their ransomware tactics. She wrote:
The present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure – they simply take advantage of poorly implemented systems.
The downward spiral
Tuesday, the news kept getting worse for MongoDB users. Merrigan noted a massive surge in attacks on Monday, with the number of compromised servers doubling in a single day. Citing Merrigan’s data, Information Security Media Group (ISMG) managing editor Jeremy Kirk wrote:
Early on Jan. 9, about 12,000 MongoDB servers had been compromised … Later that day, the figure surged to 28,000. The total amount of data held hostage could be as high as 93 terabytes. Affected organizations are shown a warning asking them to pay a ransom in bitcoin, the virtual currency. The attackers typically delete the database and leave a ransom note in its place. Recently seen ransoms have demanded quantities of bitcoins ranging in value from $200 to $1,000.
Kirk noted that according to a spreadsheet Gevers and Merrigan compiled, 20 victims have paid ransoms so far but haven’t gotten their data back.
The amount of potential victims in an attack like this is substantial. MongoDB has gotten extremely popular in recent years because they use a schema that’s a lot more flexible than others. The ranking system of DB-engines.com has it pegged as the fourth-most popular database management system (DBMS) and the most popular NoSQL DBMS.
“MongoDB is the fastest-growing database ecosystem, with over 20 million downloads, thousands of customers, and over 1,000 technology and service partners,” DB-engines.com says on its website.
Security experts say it’s hard to tell at this point how many entities have data that’s being held hostage by Harak1r1As. Victims who have their data backed up can tell the kidnapper to take a hike. There’s limited comfort in that, though. It’s unsettling and damaging whenever a company’s data is compromised.
MongoDB users were warned
John Matherly, founder of Shodan, a search engine for internet-connected devices, wrote a post in 2015 warning of large numbers of Internet-facing MongoDB servers running old and vulnerable software. He wrote:
At least with MySQL, PostgreSQL and much of the relational database software the defaults are fairly secure: listen on the local interface only and provide some form of authorization by default. This isn’t the case with some of the newer NoSQL products that started entering mainstream fairly recently.
The problem for MongoDB users seems to be that on some systems the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Users are supposed to read the manual and set up access control and authentication after installing the software but it seems that plenty of them don’t.
The result is an internet-connected database with no access control or authentication.
The need for awareness
The MongoDB story highlights the need for increased awareness. The lack of understanding when it comes to ransomware was made plain during a recent survey Sophos conducted. The survey asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.
More than 30% admitted their defenses against phishing and ransomware are poor, and that they lack sufficient understanding of how they are targeted and what they can do about it. It’s not that people are completely clueless about the dangers they face. They simply acknowledged that they’re not as educated and experienced as they’d like to be.
More than half of those polled said they give IT advice to family and friends. But 14% of them admitted that they’re unsure about whether they’ve properly backed up the data on someone else’s computer or if they have the ability to recover that data if the computer is ever hacked. Meanwhile, 11% admitted they’re unsure if the computers they look after are truly protected from hackers and viruses.
The bottom line
If you’re a MongoDB user make sure your data is backed up, that your database is patched and up to date and that you’ve read the security section of the MongoDB manual.
For more advice on protecting yourself from ransomware take a look at Your data is being held to ransom. Now what?
As always, the best defence is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:
You might also enjoy our Techknow podcast Dealing with Ransomware: