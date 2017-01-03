Exposed MongoDB installs being erased, held for ransom

Administrators should check their MongoDB deployments before they’re wiped clean

|

Senior Staff Writer, CSO |

mongodb tshirt
Credit: David Martín :: Suki_ ::
More good reads

Security researcher Victor Gevers, co-founder of the GDI Foundation, a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom.

Currently, as of Monday morning, Gevers says he’s discovered 196 instances of a MongoDB installation exposed to the public that's been erased and held for ransom.

The person behind the attacks is demanding 0.2 BTC ($202.89 USD) as payment, and requiring system administrators email proof of ownership before the files are restored. Those without backups are left in a bind.

Gevers has sent dozens of notifications to affected victims and on Twitter has responded to at least two requests for assistance after administrators learned of the issue.

In each observed attack, the message remains the same – pay up or lose your data. It’s possible the attacker is finding open MongoDB installs via basic scanning or Shodan, Gevers said. It’s also possible they’re finding MongoDB installs that are vulnerable to various exploits, including one that allows remote authenticated users to obtain internal system privileges.

MongoDB install held for ransom Victor Gevers / SRAGAN


If so, then administrators are caught in the middle of a rat race between Gevers and “Harak1r1” - the person responsible for the attacks. Asked for his thoughts and advice, Gevers shared the notification letter he is sending to identified victims.

In it, he advises that they protect the MongoDB installs by blocking access to port 27017 or limit access to the server by binding local IPs. Administrators can also chose to restart the database with the "–auth" option, after they’ve assigned users access.

In addition, he offers the following tips:

  1. Check the MongDB accounts to see if no one added a secret (admin) user.

  2. Check the GridFS to see if someone stored any files there.

  3. Check the logfiles to see who accessed the MongoDB (show log global command).

“Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” the notification letter explains.

In late 2015, there were approximately 35,000 MongoDB installations on the internet. Most of these installations were insecure and publicly available, and combined stored nearly 700 TB of data.

Configuration errors in MongoDB have led to a number of major data breaches, including the Hello Kitty data breach that exposed 3.3 million people.

A short time later, CSO Online was the first to report on the existence of an exposed MongoDB that contained 191 million voter records with the help of researcher Chris Vickery and Databreaches.net.

This was followed by a story detailing the existence of a second voter database a week later. Last April, a poorly configured MongoDB installation exposed the personal details on 93 million Mexican voters.

MongoDB is a favorite among some IT professionals, but if it isn’t configured properly and secured, this popular platform can be the source of a lot of pain within an organization. The official documentation for MongoDB contains a security checklist, and administrators are encouraged to follow it completely.

This story, "Exposed MongoDB installs being erased, held for ransom" was originally published by CSO.

Related:

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon
You Might Like
The hit list
troll warning
A potentially fatal blow against patent trolls

If law firms think they may be forced to pay defendants’ enormous legal bills, it could undermine the...

Chrome browser hot-air balloon floats past falling IE balloon
2016: The tech year in cartoons

From Microsoft’s push to get users to upgrade to Windows 10 — whether they wanted to or not — to the...

turbotax deal
34% off TurboTax Deluxe 2016 Tax Software Federal & State - Deal Alert

No Tax Knowledge Needed. TurboTax will ask you easy questions to get to know you and fill in all the...

Resources
Intel Kaby Lake
12 things you'll get in PCs with Intel's new Kaby Lake chips

Amazingly thin Windows 10 laptops and tablets will soon become available with Intel's new Kaby Lake...

Dell Inspiron 7000
Dell protects Alienware, shoves low-end gaming into Inspiron 7000

Merging gaming PCs into low-end brands failed for PC makers like HP, but Dell's giving it a shot.

Intel NUCs with Kaby Lake
Intel's new NUC mini-desktops get Kaby Lake, Optane and Thunderbolt 3

A lot of cool technologies are coming to Intel's latest NUCs, which are mini-desktops that have been...