A cluster of attacks against MongoDB servers that has affected more than half of Internet-facing MongoDB databases is taking the cyber extortion game into a whole new direction. First identified by researchers last week, the MongoDB attacks highlight the fact that attackers are seeking to diversify beyond the traditional ransomware attacks that proved to be so lucrative for them last year. They're doing it using some old trick in new ways, while targeting new technologies along the way.
A non-relational or NoSQL database, MongoDB has skyrocketed into popularity over the last few years as current development practices and big data applications lean heavily on its flexible schemas. It's currently ranked as the fourth-most popular database management system (DBMS) and the most-used NoSQL DBMS, according to DB-engines.com.
Discovered and tracked by security researchers Victor Gerves and Niall Merrigan, the present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure - they simply take advantage of poorly implemented systems.
"The issues that we are seeing with MongoDB are really just attacking the same old misconfigurations in new technologies, but adding in the ransomware element," says Jake Kouns, chief information security officer for Risk Based Security, who says his firm uncovered attacks just six months ago against another NoSQL DBMS, Redis, which similarly took advantage of installations without passwords to cause a number of garden variety breaches. "From my point of view, we are going to continue to see this as long as technology is not properly implemented and secured. Right now, MongoDB is in the spotlight, but give it a bit longer and it will be another technology that is targeted."
The truly troubling part about this spate of attacks is how easily these opportunistic attacks were able to spread, says Elliott Abraham, senior security architect at ADAPTURE, an IT consultancy. It's been pretty much like wildfire catching in dry tinder, with Gerves and Merrigan reporting that the numbers jumped from a few isolated incidents identified early last week to 10,000 incidents later in the week and then to well over 28,000 compromised databases by yesterday.
These are all installations in which database administrators and system administrators did not follow even the most basic of security procedures, Abraham says.
"The sad reality is that these attacks could be avoided. Proper database system architecture should consist of multiple zones or tiers separating web servers, application servers, and the database servers on which live the crown jewels of the organization," he explains. "The architectural flaw is that when many move to the cloud, networks have become flatter, often collapsing into a single zone where internet-facing web servers are on the same network as both application servers and database servers. MongoDB should have strict network access control, and access to ports 27017-27019 should be restricted by firewall rules and ideally only allowed to the localhost on the database."
While the type of insecurity leveraged by attackers may not be new with these attacks, it is one of the first widespread instances where data is being stolen by a vulnerability and held in ransom fashion, says Casey Ellis, CEO of Bugcrowd.
"This is a logical, interesting and pretty scary pivot in the ransom strategy," he says. "Cybercriminals are entrepreneurs at heart. There are tons of open unauthenticated data stores on the internet and where there is a will there is a way. Where there is money to be made cybercriminals will find a way to make it."
He says that the first wave attacks last week was almost a proof of concept and that the rapid uptick in compromises over the course of the week was inevitable after initial success. Like Kouns, he expects to see a rash of these attacks on similar services in the next month.
It's still unknown how many of the affected organizations truly lost their data and are at the mercy of extortionists to get it back. These are the type of stores that are likely to exist in backups somewhere, says Travis Smith, senior security research engineer at Tripwire.
"Databases are typically high on the list of what enterprises will be backing up on a regular basis, so the encrypted or deleted data can be restored quickly without having to pay a ransom," he says.
Of course, databases are also arguably the types of systems that also are not put on the public Internet without passwords, too, so it's not a stretch that organizations with such sloppy practices have also created a self-selected pool of targets that are similarly unprotected on the backup front. It will be hard to ever know the exact extent of the extortion damage from these attacks.
More certain, though, will be the growing trend of cyber extortionists continuing to look for fresh meat in 2017. Smith believes that this assault on MongoDB is a sign that ransom trends will get more advanced from the operational perspective, even if not necessarily the technology perspective, as attackers seek out more lucrative targets.
"Criminals will mirror cyber espionage tactics and do much more reconnaissance before encrypting data," Smith says. "After gaining a foothold, criminals can analyze individual businesses to determine which data is most critical to the business before encrypting anything. This will allow for a higher ransom in the six- to seven-figure range, rather than a few hundred dollars per infection."
As a result, he believes that in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.