MongoDB databases suffer huge ransomware attacks

Over 27,000 servers compromised as hackers steal and delete data from unpatched or poorly-configured systems

MongoDB databases have suffered a surge of ransomware attacks, with over 27,000 servers currently compromised as hackers steal and delete data from unpatched or poorly-configured systems.

In common with most ransomware attacks, hackers are demanding payment in bitcoin.

The attacks were brought to the public's attention by ethical hacker and security researcher Victor Gevers. Gevers said the attacks started before Christmas, but significantly increased in volume more recently.

Hackers use automated scanning tools searching the web for signs of insecure or improperly configured MongoDB systems, he said.

Jason Garbis, Vice President of Products at Cryptzone said that these types of attacks are "exceptionally damaging but frustratingly they're also preventable."

"Exposing any system to the ‘Internet Cesspit' is fundamentally a bad idea," said Garbis. "All systems have weaknesses - whether it's a vulnerability, poor configuration or inadequate controls. It's far too easy for an attacker to use Shodan [a search engine that lets users find specific types of computers including web cams and routers] to discover and then violate them.

"Rather than putting all of their systems in the shop window, particularly one that doesn't even have any glass to protect it, companies must wake up to the realisation that a new approach to network security is required. Taking an identity-centric approach, so one that only permits authorised users to access resources, would effectively brick up the window to anyone that doesn't know its there, locking the attackers out and rendering their malware impotent," Garbis added.

Rob Sobers, director at Varonis said: "Organisations that run web-facing systems are in for a world of hurt if they aren't maniacal about patch management. Ransomware allows attackers to indiscriminately scan for vulnerable systems and encrypt data en masse, yielding a small fortune in bitcoins.

"MongoDB is not unique—OpenSSL, Apache, MySQL, Linux, etc. have all had their fair share of security. We've seen hackers exploit WordPress vulnerabilities that were patched more than 10 years ago!

"The problem of overexposed data goes behind the public Internet, too. We see the same exact problem behind the corporate firewall. It's not uncommon to find hundreds of thousands of sensitive folders with highly sensitive data exposed to every user on the network within the first few minutes of a risk assessment.

"There are a few fixable security failures here, namely poor configuration and patch management and not knowing where sensitive data resides. Organisations should have a documented patch management process, should scan for vulnerabilities and configuration mishaps, and discover and classify sensitive data and systems so they can properly lock them down," said Sobers.

Ilia Kolochenko, CEO of web security company High-Tech Bridge added: "We noticed the first usage of this particular branch of ransomware attacks in early 2015, and predicted that it will grow in the future.

"As we can see now, our predictions were right due to a very high economic attractiveness of the attack - victims almost always pay, as it's less expensive than recovering the data. Inevitably, these types of attacks will continue growing in the near future.

"There is nothing in particular companies can do to prevent these attacks, but to maintain an accurate inventory of their digital assets, keep their systems secure and up to date, as well as to implement continuous security monitoring."

At the end of June 2016 MongoDB unveiled its cloud-based NoSQL database-as-a-service offering.