A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.
The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.
Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.
Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.
The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.
If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.
To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.
“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.
Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”
He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.
“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don’t scan themselves but simply use OSINT,” Gevers said.
There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don’t forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.
During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.
The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.
“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.