未加星标

MongoDB Attack Shows Off Cyber Extortionists' New Tricks

字体大小 | |
[数据库(综合) 所属分类 数据库(综合) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Ransomware operators are diversifying their cyber-extortion toolkit and expanding their range of targets.

A cluster of attacks against MongoDB servers that has affected more than half of Internet-facing MongoDB databases is taking the cyber extortion game into a whole new direction. First identified by researchers last week, the MongoDB attacks highlight the fact that attackers are seeking to diversify beyond the traditional ransomware attacks that proved to be so lucrative for them last year. They're doing it using some old trick in new ways, while targeting new technologies along the way.

A non-relational or NoSQL database, MongoDB has skyrocketed into popularity over the last few years as current development practices and big data applications lean heavily on its flexible schemas. It's currently ranked as the fourth-most popular database management system (DBMS) and the most-used NoSQL DBMS, according to DB-engines.com .

Discovered and tracked by security researchers Victor Gerves and Niall Merrigan , the present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure - they simply take advantage of poorly implemented systems.

"The issues that we are seeing with MongoDB are really just attacking the same old misconfigurations in new technologies, but adding in the ransomware element," says Jake Kouns, chief information security officer for Risk Based Security, who says his firm uncovered attacks just six months ago against another NoSQL DBMS, Redis, which similarly took advantage of installations without passwords to cause a number of garden variety breaches. "From my point of view, we are going to continue to see this as long as technology is not properly implemented and secured. Right now, MongoDB is in the spotlight, but give it a bit longer and it will be another technology that is targeted."

The truly troubling part about this spate of attacks is how easily these opportunistic attacks were able to spread, says Elliott Abraham, senior security architect at ADAPTURE, an IT consultancy. It's been pretty much like wildfire catching in dry tinder, with Gerves and Merrigan reporting that the numbers jumped from a few isolated incidents identified early last week to 10,000 incidents later in the week and then to well over 28,000 compromised databases by yesterday.

These are all installations in which database administrators and system administrators did not follow even the most basic of security procedures, Abraham says.

"The sad reality is that these attacks could be avoided. Proper database system architecture should consist of multiple zones or tiers separating web servers, application servers, and the database servers on which live the crown jewels of the organization," he explains. "The architectural flaw is that when many move to the cloud, networks have become flatter, often collapsing into a single zone where internet-facing web servers are on the same network as both application servers and database servers. MongoDB should have strict network access control, and access to ports 27017-27019 should be restricted by firewall rules and ideally only allowed to the localhost on the database."

While the type of insecurity leveraged by attackers may not be new with these attacks, it is one of the first widespread instances where data is being stolen by a vulnerability and held in ransom fashion, says Casey Ellis, CEO of Bugcrowd.

"This is a logical, interesting and pretty scary pivot in the ransom strategy," he says. "Cybercriminalsare entrepreneurs at heart. There are tons of open unauthenticated data stores on the internet and where there is a will there is a way. Where there is money to be madecybercriminalswill find a way to make it."

He says that the first wave attacks last week was almost a proof of concept and that the rapid uptick in compromises over the course of the week was inevitable after initial success. Like Kouns, he expects to see a rash of these attacks on similar services in the next month.

It's still unknown how many of the affected organizations truly lost their data and are at the mercy of extortionists to get it back. These are the type of stores that are likely to exist in backups somewhere, says Travis Smith, senior security research engineer at Tripwire.

"Databases are typically high on the list of what enterprises will be backing up on a regular basis, so the encrypted or deleted data can be restored quickly without having to pay a ransom," he says.

Of course, databases are also arguably the types of systems that also are not put on the public Internet without passwords, too, so it's not a stretch that organizations with such sloppy practices have also created a self-selected pool of targets that are similarly unprotected on the backup front. It will be hard to ever know the exact extent of the extortion damage from these attacks.

More certain, though, will be the growing trend of cyber extortionists continuing to look for fresh meat in 2017. Smith believes that this assault on MongoDB is a sign that ransom trends will get more advanced from the operational perspective, even if not necessarily the technology perspective, as attackers seek out more lucrative targets.

"Criminals will mirror cyber espionage tactics and do much more reconnaissance before encrypting data," Smith says."After gaining a foothold, criminals can analyze individual businesses to determine which data is most critical to the business before encrypting anything. This will allow for a higher ransom in the six- to seven-figure range, rather than a few hundred dollars per infection."

As a result, he believes that in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.

本文数据库(综合)相关术语:系统安全软件

主题: MongoDBSQLRedis
分页:12
转载请注明
本文标题:MongoDB Attack Shows Off Cyber Extortionists' New Tricks
本站链接:http://www.codesec.net/view/523200.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(综合) | 评论(0) | 阅读(62)