未加星标

MongoDB ransom attacks continue to plague administrators

字体大小 | |
[数据库(综合) 所属分类 数据库(综合) | 发布者 店小二04 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Earlier this month, Salted Hash reported on a surge in attacks against publicly accessible MongoDB installations .

Since January 3, the day of that first report, the number of victims has climbed from about 200 databases to more than 40,000. In addition to MongoDB, those responsible for the attacks have started targeting Elasticsearch and CouchDB.

No matter the platform being targeted, the message to the victim is the same; send a small Bitcoin payment to the listed address, or forever lose access to your files.

The problem is, some of the more recent attacks show evidence the database was erased. So even if the ransom is paid, the data is lost for good.

The researchers tracking these attacks are aware of at least four individuals who delete the databases entirely after running a list command. Once deleted, they’ll leave the ransom note and logoff the system. So far, these individuals have used more than a dozen Bitcoin wallet addresses, and nine different email accounts.

The tracking document is available on Google Docs .

Based on the most recent figures, ten organizations paid the ransom in order to restore their databases, but not a single one has had their data returned. Only one of those victims had backups to use when the ransom payment failed.

But MongoDB was just the start.

Soon, criminals started going after other development platforms, such as Elasticsearch - a Java-based search engine that's popular in enterprise environments. Then they moved on to public facing Hadoop and CouchDB deployments.

Researchers at Rapid7 Labs have been following these attacks and used Project Sonar to look at the current situation.

"The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation [and] exploration," a report from Rapid7 explains.

"Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that ― if you’re not careful ― you’ll be exposing real data to the world if you deploy them the same way on the internet."

The attacks targeting MongoDB and the others are automated, and there have been cases where more than one attacker has hit the same exposed server.


MongoDB ransom attacks continue to plague administrators
Rapid7

Using Project Sonar, Rapid7 discovered 55,895 MongoDB installs in the public. Of those, 50-percent were compromised. When it comes to the exposed Elasticsearch servers (18,221), 42-percent had been hijacked and held for ransom. Finally, for CouchDB, Rapid7 discovered 4,490 systems and 90-percent of them had been compromised.

The numbers align with other points of discussion and comments online, but the report does state that independent results will very. This is due to the number of organizations that block Project Sonar scans outright, or those who have asked that Rapid7 not scan their subnets.


MongoDB ransom attacks continue to plague administrators
Rapid7

The Project Sonar data shows that Amazon is the top host for most of the targeted platforms, followed by Softlayer, EGIHosting, and Digital Ocean.

Looking at the data for MongoDB, most of the attacks have been against installations that were still receiving support. However, MongoDB 2.6 and 2.4 (both end-of-life) were both the second and third most commonly attacked respectively.

The Rapid7 report suggests starting with proper configuration as a way to deal with these most recent attacks, as well as the others soon to follow. In addition, it’s also important to make sure the software is updated regularly and that access to the server is limited.

"You should also configure your monitoring services and vulnerability management program to identify and alert if your internet-facing systems are exposing an insecure configuration. Even the best shops make deployment mistakes on occasion,” the report’s authors conclude.

The links below contain advice and other important security tips.

本文数据库(综合)相关术语:系统安全软件

主题: MongoDBCouchDBHadoopJava
分页:12
转载请注明
本文标题:MongoDB ransom attacks continue to plague administrators
本站链接:http://www.codesec.net/view/530951.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(综合) | 评论(0) | 阅读(58)