Over the last few weeks, we've been seeing a new ransomware attack on MongoDB. MongoDB is a NoSQL database program and is free and open-source, under a couple of different public licenses. Like many large open-source projects, MongoDB offers various levels of paid support for enterprise customers, developers, and a variety of different needs.
The MongoDB attacks were discovered in late December, and were initially thought to be isolated incidents. As of January 6 there were over 10,000 attacks recorded, 17 ransoms paid, and a recent scan using Shodan reveals that about 46,000 MongoDB databases are vulnerable to this attack. Here's a summary of the attack from SecurityWeek:
…the hijackers search for MongoDB databases exposed to the Internet, access them, then steal their content and replace the database with one called WARNING. In many cases, owners are instructed to pay a 0.2 Bitcoin ransom to regain access to their content.
Breaking it down further, here's how it works:
The exposed databases allow unauthenticated connections via port 27017, meaning that anyone can access them with full admin rights, thus being able to create, read, update and delete records. Usually, Gevers warns companies that insecure databases can be used to host malware or botnets, or for hiding files in the GridFS. Now, he also warns them that databases could be held for ransom.
So far the attackers seem to be targeting databases that are likely to turn a profit, but more hijackers are starting to leverage the MongoDB vulnerabilities. As of January 8, 13 hijacker groups are in play, and attacks have been reported worldwide. As more hijackers jump in to monetize the MongoDB vulnerability, they start to cannibalize each other:
“Right now it's bedlam,” (Security Researcher Niall) Merrigan told Bleeping Computer yesterday, “attackers are deleting each others' ransoms as quick as they pop up.”
“It's a very interesting case, and it's like watching a gold rush at this point,” he added.
MongoDB is very popular on the AWS platform because AWS is a favorite for developers, and Amazon allows customers to configure MongoDB installations with the default settings. Unfortunately many customers do not take the extra steps to modify those defaults, so they end up with insecure databases. According to SC Magazine, “About 78 percent of all these hosts were running known vulnerable versions.”
MongoDB has published a blog post outlining steps you should take to secure your installation, and you should check it out if you are running MongoDB. If you are running workloads on AWS, take a look our Amazon Web Services security solutions here. We offer a complete suite of solutions engineered for AWS and designed to protect customers from attacks like ransomware.
Barracuda is an AWS Security Competency Certified Partner, and our solutions are available in AWS Marketplace.
For more information on how we can protect you from ransomware and other attacks, visit these resources:
Barracuda AWS Solutions: