Attacks/Breaches

1/10/2017
10:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

MongoDB Attack Shows Off Cyber Extortionists' New Tricks

Ransomware operators are diversifying their cyber-extortion toolkit and expanding their range of targets.

A cluster of attacks against MongoDB servers that has affected more than half of Internet-facing MongoDB databases is taking the cyber extortion game into a whole new direction. First identified by researchers last week, the MongoDB attacks highlight the fact that attackers are seeking to diversify beyond the traditional ransomware attacks that proved to be so lucrative for them last year. They're doing it using some old trick in new ways, while targeting new technologies along the way.

A non-relational or NoSQL database, MongoDB has skyrocketed into popularity over the last few years as current development practices and big data applications lean heavily on its flexible schemas. It's currently ranked as the fourth-most popular database management system (DBMS) and the most-used NoSQL DBMS, according to DB-engines.com.

Discovered and tracked by security researchers Victor Gerves and Niall Merrigan, the present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure - they simply take advantage of poorly implemented systems.

"The issues that we are seeing with MongoDB are really just attacking the same old misconfigurations in new technologies, but adding in the ransomware element," says Jake Kouns, chief information security officer for Risk Based Security, who says his firm uncovered attacks just six months ago against another NoSQL DBMS, Redis, which similarly took advantage of installations without passwords to cause a number of garden variety breaches. "From my point of view, we are going to continue to see this as long as technology is not properly implemented and secured. Right now, MongoDB is in the spotlight, but give it a bit longer and it will be another technology that is targeted."

The truly troubling part about this spate of attacks is how easily these opportunistic attacks were able to spread, says Elliott Abraham, senior security architect at ADAPTURE, an IT consultancy. It's been pretty much like wildfire catching in dry tinder, with Gerves and Merrigan reporting that the numbers jumped from a few isolated incidents identified early last week to 10,000 incidents later in the week and then to well over 28,000 compromised databases by yesterday.

These are all installations in which database administrators and system administrators did not follow even the most basic of security procedures, Abraham says.

"The sad reality is that these attacks could be avoided. Proper database system architecture should consist of multiple zones or tiers separating web servers, application servers, and the database servers on which live the crown jewels of the organization," he explains. "The architectural flaw is that when many move to the cloud, networks have become flatter, often collapsing into a single zone where internet-facing web servers are on the same network as both application servers and database servers. MongoDB should have strict network access control, and access to ports 27017-27019 should be restricted by firewall rules and ideally only allowed to the localhost on the database."

While the type of insecurity leveraged by attackers may not be new with these attacks, it is one of the first widespread instances where data is being stolen by a vulnerability and held in ransom fashion, says Casey Ellis, CEO of Bugcrowd.

"This is a logical, interesting and pretty scary pivot in the ransom strategy," he says. "Cybercriminals are entrepreneurs at heart. There are tons of open unauthenticated data stores on the internet and where there is a will there is a way. Where there is money to be made cybercriminals will find a way to make it." 

He says that the first wave attacks last week was almost a proof of concept and that the rapid uptick in compromises over the course of the week was inevitable after initial success. Like Kouns, he expects to see a rash of these attacks on similar services in the next month.

It's still unknown how many of the affected organizations truly lost their data and are at the mercy of extortionists to get it back. These are the type of stores that are likely to exist in backups somewhere, says Travis Smith, senior security research engineer at Tripwire.

"Databases are typically high on the list of what enterprises will be backing up on a regular basis, so the encrypted or deleted data can be restored quickly without having to pay a ransom," he says. 

Of course, databases are also arguably the types of systems that also are not put on the public Internet without passwords, too, so it's not a stretch that organizations with such sloppy practices have also created a self-selected pool of targets that are similarly unprotected on the backup front. It will be hard to ever know the exact extent of the extortion damage from these attacks.

More certain, though, will be the growing trend of cyber extortionists continuing to look for fresh meat in 2017. Smith believes that this assault on MongoDB is a sign that ransom trends will get more advanced from the operational perspective, even if not necessarily the technology perspective, as attackers seek out more lucrative targets. 

"Criminals will mirror cyber espionage tactics and do much more reconnaissance before encrypting data," Smith says. "After gaining a foothold, criminals can analyze individual businesses to determine which data is most critical to the business before encrypting anything.  This will allow for a higher ransom in the six- to seven-figure range, rather than a few hundred dollars per infection."

As a result, he believes that in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.

 

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.