MongoDB Ransom Victims Had No Account Passwords

Open source database provider MongoDB has confirmed to Infosecurity that the victims of a new wave of ransom attacks last week had no password protection for their admin accounts.

As many as 76,000 victims were caught out last week after a handful of attackers searched the internet for public-facing but unsecured databases.

Where they found any instances unprotected with basic account log-ins, they were able to delete the data, back-up to their own servers and replace it with a ransom note demanding BTC 0.15 ($650).

In a blog post on Friday, MongoDB product security senior director, Davi Oppenheimer, explained that the firm has been trying to make securing deployments even easier.

He said:

“Helping direct users towards safe network options is why since release 2.6.0 we have made localhost binding the default configuration in our most popular deployment package formats, RPM and deb. This means all networked connections to the database are denied unless explicitly configured by an administrator. Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release.”

Localhost binding deals with the password issue by effectively meaning that a database will refuse all external connections to the public internet by default, so it can’t be searched or accessed by opportunistic attackers.

This could mean that those affected by the attacks last week were either on versions pre-2.6.0, non-RPM versions of MongoDB post-2.6.0 or they overrode default settings.

Opennheimer claimed there’s now a warning in the download center to ensure users know the network configuration risks with non-packaged distributions.

Database-as-a-service, MongoDB Atlas, also prevents misconfiguration by providing secure infrastructure by default, he added.

The incident has highlighted once again cybersecurity awareness challenges facing many open source vendors: their services might be highly configurable but some users don’t appear to have the requisite skills to put adequate controls in place.

A blog from earlier in the year when a first round of ransom attacks hit MongoDB users explains how to avoid such an attack, whilst a security checklist points out some key best practices to be aware of.

What’s Hot on Infosecurity Magazine?