27,000 MongoDB servers have their data wiped, receive ransom demand for its safe return

Here’s what you need to know.

27,000 MongoDB servers have their data wiped, receive ransom demand for its safe return

What's happened?
Tens of thousands of unprotected MongoDB databases have been taken hostage by hackers, who have wiped data from company servers and are demanding a ransom be paid for the safe return of the information.

Typical victims include hospitals, small businesses and educational institutions.

Some have suggested that the number of affected databases could be in the region of 27,000.

MongoDB? What's that?
MongoDB is an open source document database.

And it has a vulnerability that the hackers were able to exploit? Sheesh...
Not so fast. There are security measures built into MongoDB, it's just that some users don't bother to use them. For instance, some MongoDB administrators have been leaving their systems accessible to the open internet, without having so much as an admin password in place.

Why would anyone be running an open MongoDB instance?
Because they like living dangerously? Because they get a kick out of being reckless with people's data?

Seriously, there's no good reason. It's a crazy thing to do.

I'm sure I've heard of people breaking into unsecured MongoDB databases before and stealing data
Yup, it's not rocket science. For instance, a researcher stumbled across the details of 13 million Mac users after controversial firm MacKeeper left them exposed for any Tom, Dick or Harry to see in an unprotected MongoDB instance.

But what's different in this case is that an intruder is not just claiming to steal the data, they're also wiping the victim's copy and attempting to extort a Bitcoin ransom:

"SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"

"Claiming" to steal the data?
Yes. Data has definitely been wiped - we know that. And ransom demands for its safe return have been made. What we don't know is whether it's actually true that data has been stolen. That would, after all, be a lot of data to steal from many different systems. It's possible that the attackers are just taking a punt with their ransom demand... but don't actually have the data to return.

I see. So, might MongoDB instances that are protected by a password or are not accessible via the public internet also be at risk?
To date the attacks have only been against MongoDB instances that have been left wide open by lackadaisical administrators. In theory it might be possible to launch attacks against instances where admins have used easy-to-guess passwords, but there's no reason to believe that's likely to happen at the moment.

The message is simple - use strong, unique passwords and don't connect things to the internet unless they need to be connected to the internet.

Yes, you've heard that advice before. No, people don't seem to be getting the message. Sigh...

What is the company behind MongoDB doing about it?
I imagine it is feeling pretty frustrated that some of their users are being so careless with the software.

MongoDB Inc clearly needs to reach out to the community and underline the importance of not having unsecured instances of MongoDB running openly on the net. It has posted some advice for users on its website.

Of course, the damage is somewhat lessened if you had taken the precaution of backing up your database. If that's the case then you only have the embarrassing problem of explaining to your customers that their data has perhaps been stolen and personal information exposed, rather than be utterly incapable of doing any business.

However, if you're the kind of outfit that doesn't have an admin password for your database and leaves it open to the internet then I don't hold out much hope that you've been making backups...

Tags: ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

5 Responses

  1. Michael Ponzani

    January 10, 2017 at 1:03 pm #

    Password Boss, use password boss.

  2. Clayton

    January 10, 2017 at 5:38 pm #

    Maybe services shouldn't ever be wide open by default. Ever.

  3. Greg Martin

    January 10, 2017 at 8:16 pm #

    How do you not call out Mongo for shipping a product with insecure defaults? We learned this years ago.

    • Graham Cluley in reply to Greg Martin.

      January 10, 2017 at 10:12 pm #

      Fair point.

      Let me be clear then – I think it sucks that default installations of MongoDB are so clearly insecure.

      • infosectdk in reply to Graham Cluley.

        January 12, 2017 at 12:51 pm #

        Quite clearly MongoDB could patch/update the installation release to their databases to make it secure by default, or at the very least "lazy" admins have to make and effort to undo the fixes?

        An Admin has no excuse to their bosses if there is a breach and their "newer" version is the problem due to a lazy admin?

        Obviously the legacy issues – and it is always legacy issues isn't it, is the major problem.

        Also a culture issue. We bang on at end users to be more savvy and secure, but I really think the c-level exec people don't have a clue and need to get a grip.

Leave a Reply