Attacks/Breaches

1/10/2017
10:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

MongoDB Attack Shows Off Cyber Extortionists' New Tricks

Ransomware operators are diversifying their cyber-extortion toolkit and expanding their range of targets.

A cluster of attacks against MongoDB servers that has affected more than half of Internet-facing MongoDB databases is taking the cyber extortion game into a whole new direction. First identified by researchers last week, the MongoDB attacks highlight the fact that attackers are seeking to diversify beyond the traditional ransomware attacks that proved to be so lucrative for them last year. They're doing it using some old trick in new ways, while targeting new technologies along the way.

A non-relational or NoSQL database, MongoDB has skyrocketed into popularity over the last few years as current development practices and big data applications lean heavily on its flexible schemas. It's currently ranked as the fourth-most popular database management system (DBMS) and the most-used NoSQL DBMS, according to DB-engines.com.

Discovered and tracked by security researchers Victor Gerves and Niall Merrigan, the present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure - they simply take advantage of poorly implemented systems.

"The issues that we are seeing with MongoDB are really just attacking the same old misconfigurations in new technologies, but adding in the ransomware element," says Jake Kouns, chief information security officer for Risk Based Security, who says his firm uncovered attacks just six months ago against another NoSQL DBMS, Redis, which similarly took advantage of installations without passwords to cause a number of garden variety breaches. "From my point of view, we are going to continue to see this as long as technology is not properly implemented and secured. Right now, MongoDB is in the spotlight, but give it a bit longer and it will be another technology that is targeted."

The truly troubling part about this spate of attacks is how easily these opportunistic attacks were able to spread, says Elliott Abraham, senior security architect at ADAPTURE, an IT consultancy. It's been pretty much like wildfire catching in dry tinder, with Gerves and Merrigan reporting that the numbers jumped from a few isolated incidents identified early last week to 10,000 incidents later in the week and then to well over 28,000 compromised databases by yesterday.

These are all installations in which database administrators and system administrators did not follow even the most basic of security procedures, Abraham says.

"The sad reality is that these attacks could be avoided. Proper database system architecture should consist of multiple zones or tiers separating web servers, application servers, and the database servers on which live the crown jewels of the organization," he explains. "The architectural flaw is that when many move to the cloud, networks have become flatter, often collapsing into a single zone where internet-facing web servers are on the same network as both application servers and database servers. MongoDB should have strict network access control, and access to ports 27017-27019 should be restricted by firewall rules and ideally only allowed to the localhost on the database."

While the type of insecurity leveraged by attackers may not be new with these attacks, it is one of the first widespread instances where data is being stolen by a vulnerability and held in ransom fashion, says Casey Ellis, CEO of Bugcrowd.

"This is a logical, interesting and pretty scary pivot in the ransom strategy," he says. "Cybercriminals are entrepreneurs at heart. There are tons of open unauthenticated data stores on the internet and where there is a will there is a way. Where there is money to be made cybercriminals will find a way to make it." 

He says that the first wave attacks last week was almost a proof of concept and that the rapid uptick in compromises over the course of the week was inevitable after initial success. Like Kouns, he expects to see a rash of these attacks on similar services in the next month.

It's still unknown how many of the affected organizations truly lost their data and are at the mercy of extortionists to get it back. These are the type of stores that are likely to exist in backups somewhere, says Travis Smith, senior security research engineer at Tripwire.

"Databases are typically high on the list of what enterprises will be backing up on a regular basis, so the encrypted or deleted data can be restored quickly without having to pay a ransom," he says. 

Of course, databases are also arguably the types of systems that also are not put on the public Internet without passwords, too, so it's not a stretch that organizations with such sloppy practices have also created a self-selected pool of targets that are similarly unprotected on the backup front. It will be hard to ever know the exact extent of the extortion damage from these attacks.

More certain, though, will be the growing trend of cyber extortionists continuing to look for fresh meat in 2017. Smith believes that this assault on MongoDB is a sign that ransom trends will get more advanced from the operational perspective, even if not necessarily the technology perspective, as attackers seek out more lucrative targets. 

"Criminals will mirror cyber espionage tactics and do much more reconnaissance before encrypting data," Smith says. "After gaining a foothold, criminals can analyze individual businesses to determine which data is most critical to the business before encrypting anything.  This will allow for a higher ransom in the six- to seven-figure range, rather than a few hundred dollars per infection."

As a result, he believes that in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.

 

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.