Evidently DevOps running MongoDB haven’t heard the word about the latest round of ransomware targeting the database, as the numbers of deployments with data being held for ransom continues to rise.
Last week when the news started hitting the net about ransomware attacks focusing on unprotected instances of MongoDB, it seemed to me to be a story that would have a short life. After all, the attacks weren’t leveraging some unpatched vulnerabilities in the database, but databases that were misconfigured in a way that left them reachable via the Internet, and with no controls — like a password other than the default — over who had privileges. All that was necessary to get this attack vector under control was for admins to be aware of the situation and to be ready and able to reconfigure and password protect.
Guess what? It hasn’t gone down that way — at least not so far.
On Wednesday when I wrote about this there had been about 2,000 databases attacked. By this morning, according to eWeek, over 10,000 databases have been affected. What’s more, last week it appeared as if all of the attacks were being carried out by one person or organization. Now there are at least five organizations steadily working in an attempt to turn unprotected databases into bitcoins.
The methodology is so simple it doesn’t even take a script kiddie to do it, much less a master hacker-cracker. You also don’t need any encryption software. All you do is find an unprotected database, copy its contents, then replace the contents with a pay-up-or-we’ll-kill-your-data ransom note. Easy pickings, in other words. And how do they find these wide open databases? The old fashioned way would be to scan the Internet, but in this case they can just use the security search engine Shodan, which is used for finding devices connected to the Internet.
Last week the demands were all for 0.2 bitcoin per compromised database, which works out to about $203 in good ol’ ‘Murican money, but this morning we learn that one group has grabbed data from at least 17 MongoDB instances and is demanding a ransom of 0.25 bitcoin. So much for the theory that competition keeps prices low.
The attacks center around older versions of MongoDB, which shipped with a default setting that made it open to the Internet. The problem was discovered and fixed back in 2015, but some admins evidently haven’t received the word. The problem is also made worse by the fact that customers firing up MongoDB in the AWS cloud are deploying vulnerable versions.
Long story short: If you’re deploying MongoDB, you might want to make sure you’re using the latest version. You also might want to make sure you’re following Mongo’s best security practices. Otherwise, you can create a bitcoin wallet if you don’t have one already, because there’s a good chance you’ll be needing it.