MongoDB Ransomware Explosion
Recently I posted an article on LinkedIn about MongoDB security… well, it turns out that this has exploded into a big issue. Over the last two weeks malicious hackers have been going crazy with extortion schemes. Hackers are connecting to unsecured MongoDB instances, encrypting the data and then demanding payment before they will release the data.
DO NOT PAY.
The hackers are demanding a fee between 0.1 and 1.0 bitcoin. This may seem small, but extortion is still extortion. It is more important than ever before to secure your data. Just as you would secure your MS SQL Servers, you should secure your MongoDB instances.
The problem we have with this case, is that most of these appear to show that the data was not exfilltrated at all. In most cases, it was just deleted all together and no recovery is possible with or without paying them.
DO NOT PAY.
There is no guarantee that paying a ransom will result in the recovery of your data. There is also no reason to believe that your data will not be sold on the darknet or posted publicly. Payment is not a solution to the issue. Paying someone, whether they can recover your data or not, is only a way to insure that they try attacking you again. At that point you have shown them that you are willing to pay out money and negotiate. Next time, it will likely be a much higher price.
Of the 14,972 United States based MongoDB instances I have found unsecured, all those I have re-checked, have been compromised at this time. I have not run a full scan yet to see how many of them are still secured, but I hope some of those I sent warnings to previously were able to secure their data.
Fake Numbers Everywhere
I have seen a few news articles posted in the last couple of days saying things like “he found over 90,000 instances”… those numbers are not reflective of actual instances. Those are reflective of individual DBs that were unsecured. In the United States, I pulled every single public facing IP I could scan and there are 14,972 actual IPv4 addresses that were open and unsecured. There are many more than that out there, but the rest of them are secured. The 90,000+ numbers appear to be the number of databases and are inflated to make the news seem bigger.
Please note, that I connect from one single IP every time I test a server. I never touch any data other than connect to see if it is open. My IP address is 220.127.116.11 and has been for the duration of my MongoDB testing. If any organizations that I have tested would like to discuss my tests, actions, or have questions on how to secure your MongoDB instances properly, please contact me on Twitter @KalyptoNet.
I will be re-posting my LinkedIn article here for a wider audience.
As with all research I do, it is non-destructive, non-malicious, and my aim is to assist people in securing their systems before someone malicious attacks.