Home > Cloud Server > Is Your MongoDB Database Secured Against Ransom Attacks?

Is Your MongoDB Database Secured Against Ransom Attacks?

MongoDB is a popular NoSQL database with a serious problem. Tens of thousands of MongoDB databases have been hacked by criminals, who replace the data with a simple message: “Send us money or your data is gone forever”. In fact, calling it a hack is overly generous, since there’s very little hacking involved: the databases have no protection and are exposed to the internet.

By default, MongoDB doesn’t force its users to create authentication credentials. It appears that many users don’t understand that MongoDB is insecure by default, and so they do nothing to mitigate the problem. We’re seeing the power of defaults in action, and many argue that it’s unconscionable for a database used in business-critical applications to have defaults that expose its contents to the whole world.

There are arguments on the other side too. It’s much easier to quickly deploy and test a MongoDB database if you don’t have to deal with authentication and security every time. MongoDB experts who understand the thinking behind the defaults are often in favor, and so it appears are the project’s developers.

But that doesn’t help the thousands of companies who have lost critical data because their database is happy to let everyone with an internet connection examine and manipulate it.

It’s not a new problem, but over the past couple of months, the incidence of ransom attacks against MongoDB has skyrocketed, and everyone who uses MongoDB should take action to ensure their database is configured correctly.

MongoDB has published guidance for making the database secure.

These attacks are especially pernicious, because unlike the typical ransomware attacks against businesses, the data is often not returned. Attackers aren’t encrypting data in place; they’re copying it off the server and then deleting the original, leaving nothing behind but an email address to contact for payment.

ransomware-attack

The attack has become so widespread that criminals are competing against each other. An already compromised database will often be compromised again by another attacker who simply changes the ransom demand. The second attacker never had access to the data in the first place because the first had already deleted it — even if the company pays, they won’t get the data back and they lose any hope of contacting the original attacker.

Insecure MongoDB sites are easy to find. It appears many of the attackers are using the Shodan search engine, which helpfully allows people to search for devices and services connected to the internet.

There are two lessons to be learned here. Secure defaults matter. There’s nothing to stop the MongoDB project or downstream distributors from releasing packages with “testing” or “production” versions with appropriate defaults.

But perhaps even more importantly, if you’re going to a deploy a piece of software  on the internet, make sure you understand it — take the time to look at the documentation, or at least Google for information about how to secure it.

Complete Digital Server Solutions For All

Bare Metal

Dedicated Servers

A single tenant, physical server allowing you full access to its resources.

Professional-grade

Hybrid Servers

Virtualized server platform hosted on enterprise-grade physical servers.

Managed

Colocation

Your privately owned servers and equipment secured in a top-tier data center.

Jay Caissie

Jay Caissie

Jay Caissie is the Director of IT at ServerMania.

  • There was an alarming tv documentary talking about tons of infrastructure all across the world in every facet of life shipped with insecure defaults that have never been secured by the purchasers. It is standard practice to ship products with unsecured defaults so the the user can begin trying it out right off the bat. Vendors say they do this so as not to discourage the new user and the expectation is that once the new user gets it working they would follow up and secure it secondly. But they never do secure it. You can change road lights, access security cameras, … The US voting machines, I saw another documentary, they do not include basic security, and it not even a default settings situation, it is left unsecured by the manufacturer with no security options. They say, it is expected to remain in trusted hands which kinda makes sense. But on the other hand, why not just secure it anyway.

    MongoDB is pretty sweet if you can secure it. I disable remote access and only access local via my server coding platform. Its great for web development cause it is in json which pairs well with front end js. And unlike most other new nosql db’s, it has a rich querying syntax like MySql.

    Nice post, ransomed data, lol. I mean, you fill up a database, then lose it, you will pay to get it back. omg.