Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

MongoDB Ransomware Compromises Double in a Day

Hackers Strike as Window of Opportunity Potentially Closes
MongoDB Ransomware Compromises Double in a Day
Attackers are encrypting poorly secured MongoDB databases and demanding a ransom to return the data.

Security experts have seen a doubling in less than a day of successful attacks against insecure MongoDB databases in attempts to extract ransoms from their owners.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

The attacks against servers running MongoDB - a widely used, open source NoSQL database - first came to light in December 2016, though the attacks were relatively small in scale. But many of the affected databases hadn't been set to require a password for access, making remote compromises simple.

But the attacks have now intensified as other hackers seek to capitalize on what may be a closing window of opportunity (see Database Hijackings: Who's Next?).

Early on Jan. 9, about 12,000 MongoDB servers had been compromised, writes Niall Merrigan, a security expert who works for Capgemini in Norway. Later that day, the figure surged to 28,000, he writes. The total amount of data held hostage could be as high as 93 terabytes.

According to the search engine Shodan, there are about 50,000 MongoDB servers facing the Internet, Merrigan writes.

Affected organizations are shown a warning asking them to pay a ransom in bitcoin, the virtual currency. The attackers typically delete the database and leave a ransom note in its place. Recently seen ransoms have demanded quantities of bitcoins ranging in value from $200 to $1,000.

Merrigan, along with Victor Gevers, chairman of the GDI Foundation, have created a spreadsheet titled MongoDB ransacking that collates a variety of data on the attacks, including victims, whether they've paid the ransom and various email addresses used by attackers.

The spreadsheet indicates that to date, 20 victims have paid ransoms but not received their data. It's common for ransomware attackers to not bother restoring victims' data, which fuels the argument that victims should just absorb the loss and move on rather than reward attackers.

Target: Misconfigured MongoDB

MongoDB hackers have been targeting database instances that have been - most likely inadvertently - left Internet-accessible. These instances are also misconfigured or have known software vulnerabilities, which has allowed the attackers to access the databases and then modify or steal content.

But security experts have long been warning MongoDB administrators to clean up their act. John Matherly, who founded Shodan - a search engine for internet-connected devices - noted in mid-2015 that there were large numbers of Internet-facing MongoDB servers running outdated software.

Internet-connected MongoDB databases as of August 2015 (source: Shodan).

More recently, MongoDB Inc., which supports the database, has weighed in. In a Jan. 6 blog post, Andreas Nilsson, MongoDB's director of product security notes that "these attacks are preventable with the extensive security protections built into MongoDB."

Notably, he says all of the ransomware attacks seen today should have been prevented if MongoDB's access controls were enabled and correctly configured. These access controls also create system log that will record unauthorized access attempts or other suspicious activity, he says, but adds: "You need to use these features correctly, and our security documentation will help you do so."

The company also offers other options - MongoDB Cloud Manager and MongoDB Ops Manager - that allow users to "enable alerts to detect if their deployment is internet exposed," as well as create regular backups that allow systems to later be restored, which is one defense against ransomware infections.

MongoDB Alerts

MongoDB Inc. offers tools that can warn users if internet-exposed databases get deployed.

Firewalls and Authentication

The attacks against the insecure MongoDB servers aren't particularly sophisticated, writes Frank Harding, who describes himself as an aspiring developer. Related tools for manipulating the databases can be easily found via Google searches, he notes.

"By leveraging these tools it's incredibly easy for 'hackers' to make extremely simple scripts to automate the process of dumping, dropping and inserting a ransom note or in some cases, just dropping and inserting a ransom note," Harding writes in a post on Medium.

Harding has advice for anyone running MongoDB databases: Use a firewall and ensure authentication is enabled. MongoDB also has a handy checklist that administrators can follow to make sure there are no problems.

For anyone who's already been attacked, there's little recourse for getting data back - without attempting to pay a ransom - unless affected databases have been securely backup up. "If you don't have a backup or are otherwise unable to restore the data, unfortunately your data may be permanently lost," MongoDB's Nilsson writes.

But even for those organizations that have backed up, attackers may have also obtained a copy of the data. In some jurisdictions - including the United States, and under the EU's new General Data Protection Regulation, soon all of Europe - victims must notify regulators of the database breach, if any customers' personal or financial data was potentially exposed.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.