Exposed MongoDB databases have become the easy money-maker ransomware criminals are busy filling their boots with.
In mid-July 2019, another database fell to the extortion hackers, this time containing 2.1 million records belonging to well-known Mexican publisher and bookseller, Librería Porrúa.
It’s not certain how many individual customers were affected, but purchase information included details of 1.2 million names, email addresses, shipping addresses and phone numbers, plus site information such as invoices and purchases, shopping cart IDs, activation codes and tokens, and hashed card details.
There were also 958,000 personal records revealing most of the above data fields plus dates of birth.
We know all this because this exposed MongoDB instance was discovered by security researcher Bob Diachenko on 15 July 2019, the day after it was first indexed by the Shodan search engine.
He explains how he immediately contacted the company with the bad news. Unfortunately, by 18 July, criminals had spotted and “wiped” the database, leaving a demand for 0.05 Bitcoins (around $500) to return it.
The next day, access to the now empty database was disabled by someone, presumably in response to the attack. As of 1 August, nobody from Librería Porrúa had contacted Diachenko regarding his discovery.
As with previous incidents involving exposed databases, the MongoDB instance was accessible by anyone without the need for authentication, with the added bonus that it could be reached using two different IP addresses.
As Diachenko points out, by the time criminals access a database of this kind, paying the ransom is beside the point – even if the attackers hand back the data, it might still have been copied and exposed elsewhere.
Public access mode
As previously discussed on Naked Security, one of the risks with MongoDB is that’s its easy to mess up either by using an older version lacking remote access authentication, or a newer instance that has been poorly secured. Diachenko notes:
The public configuration makes it possible for cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.
It’s the recurring weakness that contributed to a huge campaign that compromised up to 27,000 thousand MongoDB installations in 2017.
In 2018, in another severe incident, a database of 445 million records held by disaster recovery company Veeam was found in an exposed state by Diachenko.
In May this year, Diachenko discovered yet another MongoDB database containing the records of 275 million people in India.
How to protect yourself from ransomware
If you’re a MongoDB user make sure your data is backed up, that your database is patched and up to date and that you’ve read the security section of the MongoDB manual. Using authentication is essential. In addition:
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.