Exposed MongoDB database draws attacks within hours

Experimental honeypot set up by researchers reveals locations where most of the attacks come from

A Comparitech experiment led by cyber security researcher Bob Diachenko has shown that exposed databases on the internet are probed within hours of being set up.

The researchers say they put a MongoDB honeypot on the web for three months to discover who would try to access, steal and destroy the exposed data, and where those unauthorised requests come from.

According to researchers, the first attack on the bogus database came after just 7 hours and 31 minutes. In total, 428 unauthorised connections were recorded over a three-month period, between 6th December 2019 and 7^th March 2020.

Of all the unauthorised requests, nearly half (218) originated from IP addresses registered in the US, followed by the Netherlands, France, Singapore and Russia. However, the researchers warned that IP addresses don't necessarily mean that the attacker is actually based in that country, as requests can be sent remotely from virtual machines and through proxies.

The team also found that 127 of all unauthorised requests were legitimate scans, 130 were status checks, 137 were data thefts, and 34 were destructive requests.

The legitimate scans included requests from internet scanners that are clear about their purpose. For example, French IT security firm Intrinsec, which maps open source data on the internet, made 34 requests to the honeypot.

Most of the 130 status check requests were also benign in nature. They were sent with the purpose of checking the server and connection statuses, and no data was accessed, modified or deleted.

The researchers also recorded 137 unauthorised requests that attempted to view, scrape, and download data without authorisation; and 34 destructive requests, which modified or destroyed data on the server.

The results of Comparitech's study come at the same time as researchers reported a series of 'Meow' attacks against online databases - including against MongoDB. This automated attack targets unsecured databases and destroys data without explanation.

The attacks have hit a large number of MongoDB and Elasticsearch instances indiscriminately, without leaving any explanation for the attack. More than 1,000 unsecured databases have been permanently deleted so far, according to researchers.

Unlike earlier attacks on open databases that would encrypt files for ransom, the new malware simply deletes indexes and inserts random characters followed by the word "meow".