The New Wave of MongoDB Attacks – Bigger Than Before

IT specialists warn about the resumption of extortion attacks aimed at misconfigured MongoDB servers.

The first wave of MongoDB attacks was observed in late 2016. Dozens of criminal groups hacked vulnerable MongoDB servers that time. After that, they also targeted ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL.

Cybercriminals used to erase all information from the databases and demanded a ransom from the owners of the servers. Importantly this was a bluff as criminals were not able to get the data back because and as stated earlier they completely delete all data during the attack.

This week extortionists stepped up again. Although the number of attackers is small compared to the cases occurred in the beginning of the year, new criminal groups involved have approached the situation on a grand scale. New attacks cause much more damage. For example, if in winter criminals managed to compromise 45,000 databases per month, now the Cru3lty group broke 22,449 databases in one week.

MongoDB attack - scheme by enisa.europa.eu
MongoDB attack – scheme by enisa.europa.eu

MongoDB developers cannot leave what is happening without their attention. The company blog has a message from the senior director Davi Ottenheimer. He writes that the developers are assisting IT security specialists and are also trying to understand what is happening. Unfortunately, news that comes from the fields is mostly sad for now.

“We are collecting the details to understand where and when users leave their systems unprotected, and who attacks them,” Oppenheimer says.

The developers acknowledge that the problems arose even before the release of version 2.6.0. The fact is that the default configuration of earlier versions of MongoDB allowed anyone to connect to the administrator interface, not only through localhost but from remote location. And what is worse, the administrator account could work without a password, which was a real gift for intruders.
Although the company quickly realized its mistakes and eliminated these problems, the vulnerable installation files have already been spread all over the Internet. They were used by hosting providers and even such giants as Amazon. As a result, thousands of insecure MongoDB servers were easy targets for criminals.

The new study reveals that administrators of old and vulnerable versions are not the only targets. Researchers inform that users themselves sabotage the protection of their servers and ignore even the simplest security rules. As a result, many servers are open and utilize no passwords at all. MongoDB developers and IT security specialists agree that these types of databases suffer the most during the new extortion campaign.

The developers once again reminded about the need for timely software updates and encouraged to carefully study the settings and secure the database configuration properly.
Oppenheimer reported that the upcoming release 3.5.7 (and also 3.6.x) will bring strict localhost-only binding, which will be applied by default for all releases.

Leave a Reply