How to secure MongoDB instances to avoid ransom attacks
“MongoDB apocalypse is here as Ransom Attacks”
Recently, some attackers have performed a lot malicious attacks on unsecured instances of MongoDB running openly on the internet.
The attacker erased the database and demanded a ransom be paid before restoring it.
Cyberciti has published an interesting article about new MongoDB ransom attack, and how to avoid infections on servers:
MongoDB ransom attacks are in Wild. I am using it for storing data on my public facing cloud server powered by Ubuntu Linux. How do I protect and secure my MongoDB nosql server on Linux or Unix operating system?
A more technical and complete article was published on official MongoDB website:
Table of contents
- Enable Access Control and Enforce Authentication
- Configure Role-Based Access Control
- Encrypt Communication
- Encrypt and Protect Data
- Limit Network Exposure
- Audit System Activity
- Run MongoDB with a Dedicated User
- Run MongoDB with Secure Configuration Options
- Request a Security Technical Implementation Guide (where applicable)
- Consider Security Standards Compliance
And finally, in this article on MongoDB website, Andreas Nilsson explains how to prevent an attack and how to face it:
The “Ransom Attack”
According to bleepingcomputer:
The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.
According to statistics provided by two security researchers monitoring these attacks, Victor Gevers and Niall Merrigan, this group is behind around nearly 16,000 hijacked databases, which is around 56% of all ransacked MongoDB instances.
The Kraken group got involved in these MongoDB attacks on Friday, January 6, seeing how successful and profitable previous attacks from other groups had been.
The attacks don’t target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account.
Starting with December 20, a hacker has been accessing some of these open databases, exporting their content, and replacing it with a ransom note.
How it works?
From Snyk Blog:
The hack itself is alarmingly simple. In versions >= 2.6.0, MongoDB includes a default configuration file that binds MongoDB to 127.0.0.1 by default. As a result, the database will only listen to local connections.
Before version 2.6.0, that wasn’t true.
By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections.