Security Experts:

Connect with us

Hi, what are you looking for?



MongoDB Tightens Security Amid New Database Attacks

A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.

A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.

The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.

Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.

Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.

The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.

If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.

To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.

“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.

Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”

He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.

“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don’t scan themselves but simply use OSINT,” Gevers said.

There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don’t forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.

During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.

The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.

“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.

Related: Ransack Campaigns Target Hadoop and CouchDB

Related: 33,000 Databases Fall in MongoDB Massacre

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...