MongoDB attacks leave thousands asking: “is my database secure?”
Are you certain you secured yours? Rash of MongoDB attacks turns into pandemic as more hackers join the fray, and more targets are found...
It’s been a busy 2017 already, especially for hackers exploiting poorly-implemented database security. In late 2016 a trickle of MongoDB servers were being attacked, wiped and ransomed, but the new year has caused that number to rocket over the last few days alone, jumping from 10,500 to more than 28,200.
Initially the attacks were conducted by one group, dubbed Harak1r1, but it’s now thought that twelve groups are engaged in launching attacks on unsecured MongoDB databases, including a professional ransomware group known as Kraken. Figures from security researchers Niall Merrigan, a solutions architect for consulting giant Cap Gemini, and Victor Gerves, co-founder of the GDI Foundation, imply that roughly 25 per cent of all internet-connected MongoDB databases have been compromised so far. There seem to be a few left though:
It’s not particularly clear that the deleted data is actually being copied by the attackers, Gervers says that he’s identified 84 examples of servers that have been wiped and left with a ransom note, but have “no trace of data exfiltration”. As security researcher Graham Cluley clarified on his blog: “Data has definitely been wiped - we know that. And ransom demands for its safe return have been made. What we don't know is whether it's actually true that data has been stolen. That would, after all, be a lot of data to steal from many different systems. It's possible that the attackers are just taking a punt with their ransom demand... but don't actually have the data to return.”
The open source MongoDB has come under fire before, as misconfigured MongoDB databases have exposed user password data and other sensitive information in the past, most memorably when 13 million Mackeeper users were exposed by the issue in 2015.
The current ‘hack’ relies on admins installing MongoDB with default settings, which leave the resulting database open to anyone to browse the databases, download them, or even write over them and delete them.
So what can you do about it? Well, if you’re running a MongoDB server and aren’t sure if you have secured it, Gervers advises following MongoDB's security recommendations (which are here), or at the very least blocking port 27017 on your firewall or configuring MongoDB to listen only to 127.0.0.1 in /etc/mongodb.conf, and then restarting the database. On a broader note, you could also test your webserver security with High-Tech Bridge’s free websec tool - here’s MongoDB, for example, getting an ‘F’ rating for security:
As Ilia Kolochenko, High-Tech Bridge CEO has said: “Cybersecurity is not a rocket science as some people tend to think. The methodology of success involves identifying all of your digital assets, conducting a holistic and comprehensive risk assessment, mitigating those risks and then continuously monitoring for new risks, threats and vulnerabilities. By following this methodology any company deploying misconfigured MongoDB would have realised and rectified the mistake long ago…”