未加星标

Thousands of MongoDB databases compromised and held to ransom

字体大小 | |
[数据库(综合) 所属分类 数据库(综合) | 发布者 店小二03 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Thousands of MongoDB databases compromised and held to ransom

Need abetter understanding of how damaging ransomware attacks can be? There’s no better case study than what’s happened to MongoDB .

Last week, it came to light that unsecured MongoDB databases were being hit by an attacker demanding a 0.2BTC ransom ($220) to return the data he was holding hostage.

The attacker, who goes by the online handle Harak1r1, has been hitting servers across the globe, said penetration tester Victor Gevers, who noticed the attacks when he reported exposed installations to their owners.

He also warnedadmins via Twitter about the attacker, who to date appears to havecollected 16 deposits of exactly 0.2BTC via a Bitcoin wallet after having accessed unprotected databases, exported the content and replaced the data with the ransom demand.

Open MongoDB = Money 4 bad ppl.

SEND 0.2 BTC TO THIS ADDRESS AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE ! pic.twitter.com/gS4TxS7S09

― Victor Gevers (@0xDUDE) December 27, 2016

Gevers, from Netherlands-based GDI Foundation, has been tracking the activity along withNiall Merrigan, a Norway-based developer. They’vewarned that it’s old MongoDB instances deployed via cloud hosting services, mostly on the AWS platform with a default configuration, that are beingattacked.

Dark Reading contributing writerEricka Chickowskinoted in her report that these attacks show how the bad guys are diversifying their ransomware tactics. She wrote:

The present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure they simply take advantage of poorly implemented systems.

The downward spiral

Tuesday, the news kept getting worse for MongoDB users. Merrigan noted a massive surge in attacks on Monday, with the number of compromised servers doubling in a single day. Citing Merrigan’s data,Information Security Media Group (ISMG) managing editor Jeremy Kirk wrote :

Early on Jan. 9, about 12,000 MongoDB servers had been compromised …Later that day, the figure surged to 28,000. The total amount of data held hostage could be as high as 93 terabytes.Affected organizations are shown a warning asking them to pay a ransom in bitcoin, the virtual currency. The attackers typically delete the database and leave a ransom note in its place. Recently seen ransoms have demanded quantities of bitcoins ranging in value from $200 to $1,000.

Kirk noted that according to a spreadsheet Gevers and Merrigan compiled, 20 victims have paid ransoms so far but haven’t gotten their data back.

The amount of potential victims in an attack like this is substantial. MongoDB has gotten extremely popular in recent years because they use a schema that’s a lot more flexible than others. The ranking system of DB-engines.com has it pegged as the fourth-most popular database management system (DBMS) and the most popularNoSQL DBMS.

“MongoDB is the fastest-growing database ecosystem, with over 20 million downloads, thousands of customers, and over 1,000 technology and service partners,” DB-engines.com says on its website.

Security experts say it’s hard to tell at this point how many entities have data that’s being held hostage by Harak1r1As. Victims who have their data backed upcan tell thekidnapper to take a hike. There’s limited comfort in that, though. It’s unsettling and damaging whenever a company’s data is compromised.

MongoDB users were warned

John Matherly, founder of Shodan, a search engine for internet-connected devices, wrote a post in 2015 warning of large numbers of Internet-facing MongoDB servers running old and vulnerable software. He wrote:

At least with mysql, PostgreSQL and much of the relational database software the defaults are fairly secure: listen on the local interface only and provide some form of authorization by default. This isn’t the case with some of the newer NoSQL products that started entering mainstream fairly recently.

The problem for MongoDB users seems to be that on some systems the default configuration has the database listening ona publicly accessible port as soon as it’sinstalled.Users are supposed to read the manual and set upaccess control and authentication after installing the software but it seems that plenty of them don’t.

The result is an internet-connected database with no access control or authentication.

The need for awareness

The MongoDB story highlights the need for increasedawareness. The lack of understanding when it comes to ransomware was made plain during a recent survey Sophos conducted.The survey asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.

More than 30% admitted their defenses against phishing and ransomware are poor, and that they lack sufficient understanding of how they are targeted and what they can do about it.It’s not that people are completely clueless about the dangers they face. They simply acknowledged that they’re not as educated and experienced as they’d like to be.

More than half of those polled said they give IT advice to family and friends. But 14% of them admitted that they’re unsure about whether they’ve properly backed up the data on someone else’s computer or if they have the ability to recover that data if the computer is ever hacked. Meanwhile, 11% admitted they’re unsure if the computers they look after are truly protected from hackers and viruses.

The bottom line

If you’re a MongoDB user make sure your data is backed up, that your database is patched and up to date and that you’ve read the security section of the MongoDB manual .

For more advice on protecting yourself from ransomware take a look at Your data is being held to ransom. Now what?

本文数据库(综合)相关术语:系统安全软件

主题: MongoDBSQLMySQLPostgreSQLDUTwitter
分页:12
转载请注明
本文标题:Thousands of MongoDB databases compromised and held to ransom
本站链接:http://www.codesec.net/view/524119.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(综合) | 评论(0) | 阅读(19)