Attacks/Breaches

1/10/2017
10:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

MongoDB Attack Shows Off Cyber Extortionists' New Tricks

Ransomware operators are diversifying their cyber-extortion toolkit and expanding their range of targets.

A cluster of attacks against MongoDB servers that has affected more than half of Internet-facing MongoDB databases is taking the cyber extortion game into a whole new direction. First identified by researchers last week, the MongoDB attacks highlight the fact that attackers are seeking to diversify beyond the traditional ransomware attacks that proved to be so lucrative for them last year. They're doing it using some old trick in new ways, while targeting new technologies along the way.

A non-relational or NoSQL database, MongoDB has skyrocketed into popularity over the last few years as current development practices and big data applications lean heavily on its flexible schemas. It's currently ranked as the fourth-most popular database management system (DBMS) and the most-used NoSQL DBMS, according to DB-engines.com.

Discovered and tracked by security researchers Victor Gerves and Niall Merrigan, the present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure - they simply take advantage of poorly implemented systems.

"The issues that we are seeing with MongoDB are really just attacking the same old misconfigurations in new technologies, but adding in the ransomware element," says Jake Kouns, chief information security officer for Risk Based Security, who says his firm uncovered attacks just six months ago against another NoSQL DBMS, Redis, which similarly took advantage of installations without passwords to cause a number of garden variety breaches. "From my point of view, we are going to continue to see this as long as technology is not properly implemented and secured. Right now, MongoDB is in the spotlight, but give it a bit longer and it will be another technology that is targeted."

The truly troubling part about this spate of attacks is how easily these opportunistic attacks were able to spread, says Elliott Abraham, senior security architect at ADAPTURE, an IT consultancy. It's been pretty much like wildfire catching in dry tinder, with Gerves and Merrigan reporting that the numbers jumped from a few isolated incidents identified early last week to 10,000 incidents later in the week and then to well over 28,000 compromised databases by yesterday.

These are all installations in which database administrators and system administrators did not follow even the most basic of security procedures, Abraham says.

"The sad reality is that these attacks could be avoided. Proper database system architecture should consist of multiple zones or tiers separating web servers, application servers, and the database servers on which live the crown jewels of the organization," he explains. "The architectural flaw is that when many move to the cloud, networks have become flatter, often collapsing into a single zone where internet-facing web servers are on the same network as both application servers and database servers. MongoDB should have strict network access control, and access to ports 27017-27019 should be restricted by firewall rules and ideally only allowed to the localhost on the database."

While the type of insecurity leveraged by attackers may not be new with these attacks, it is one of the first widespread instances where data is being stolen by a vulnerability and held in ransom fashion, says Casey Ellis, CEO of Bugcrowd.

"This is a logical, interesting and pretty scary pivot in the ransom strategy," he says. "Cybercriminals are entrepreneurs at heart. There are tons of open unauthenticated data stores on the internet and where there is a will there is a way. Where there is money to be made cybercriminals will find a way to make it." 

He says that the first wave attacks last week was almost a proof of concept and that the rapid uptick in compromises over the course of the week was inevitable after initial success. Like Kouns, he expects to see a rash of these attacks on similar services in the next month.

It's still unknown how many of the affected organizations truly lost their data and are at the mercy of extortionists to get it back. These are the type of stores that are likely to exist in backups somewhere, says Travis Smith, senior security research engineer at Tripwire.

"Databases are typically high on the list of what enterprises will be backing up on a regular basis, so the encrypted or deleted data can be restored quickly without having to pay a ransom," he says. 

Of course, databases are also arguably the types of systems that also are not put on the public Internet without passwords, too, so it's not a stretch that organizations with such sloppy practices have also created a self-selected pool of targets that are similarly unprotected on the backup front. It will be hard to ever know the exact extent of the extortion damage from these attacks.

More certain, though, will be the growing trend of cyber extortionists continuing to look for fresh meat in 2017. Smith believes that this assault on MongoDB is a sign that ransom trends will get more advanced from the operational perspective, even if not necessarily the technology perspective, as attackers seek out more lucrative targets. 

"Criminals will mirror cyber espionage tactics and do much more reconnaissance before encrypting data," Smith says. "After gaining a foothold, criminals can analyze individual businesses to determine which data is most critical to the business before encrypting anything.  This will allow for a higher ransom in the six- to seven-figure range, rather than a few hundred dollars per infection."

As a result, he believes that in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.

 

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15667
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can...
CVE-2018-15668
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the "send" command with the "attachment_" prefix designate atta...
CVE-2018-15669
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are...
CVE-2018-15670
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if t...
CVE-2018-15671
PUBLISHED: 2018-08-21
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.