Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com) 115
An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.
lol (Score:4, Insightful)
a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier
Re:lol (Score:4, Funny)
a passwordless admin interface exposed to the internet?
It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.
Re: (Score:2)
Hey Vlad, things getting a bit boring around Thug Central and yer former KGB buddies?
Re: (Score:2)
a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier
Irrelevant, the important thing is that it scales.
Re: (Score:1)
passwordless access to medical records? OMFG!
Re: (Score:1)
passwordless access to medical records? OMFG!
* fixing my own post
Re: (Score:2)
I don't usually say people deserve to have bad things happen to them, but this is going to be an exception.
An admin leaving a database with direct connectivity to the internet is bad enough---borderline negligence, in my opinion. But a blank admin password?
That's like walking down the street with $100 bills bulging out of your pockets on the bad side of town.
It's not just stupidity---most stupid people don't even do things that stupid.
It's too bad IT doesn't require professional licenses like doctors and la
You are much more sure than SCO is (Score:4, Informative)
> To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.
Some of us pay attention to who is right and wrong, rather than deciding absolutely everything based on "big mean corporation."
SCO originally filed for misappropriation of trade secrets and unfair competition. Later, they decided breach of contract might be better. Still later, they decided maybe copyright infringement. Obviously, SCO wasn't so sure exactly what they were complaining about - not nearly as sure as you are.
They claimed that up to 0.0001% of the Linux kernel might have been derived from Unix, but refused to say which parts. As the judge began to strike down their claims unless they identified which code they were talking about, they pointed to some BSD licensed code written by Thompson - code they clearly had no copyright rights to.
When it was pointed out that Novell, not SCO, owned the Unix copyright, SCO tried to buy the copyrights from Novell. Again, Novell clearly wasn't too sure they owned the copyrights, they were trying to buy them from Novell, yet you're sure that they already owned them.
SCO then claimed that the GPL itself is illegal and unconstitutional! Which would of course mean that SCO were themselves unlawfully distributing GPL code! Yeah that annoyed some people.
SCO didn't just lose a case, they were laughed out of court repeatedly. "We're suing you for violating the copyright on Unix, but we're still trying to buy that copyright so can we have a short delay?" What!?!? It was one of the most ridiculous cases ever. That's why people didn't root for SCO, it was because SCO was engaging in ridiculous trolling that made no sense. They argued that the "offending code" was part of the Linux kernel, then argued that it wasn't. They couldn't even make up their mind.
Re: (Score:1)
True (Score:2)
You are not wrong
Re: (Score:2)
Are we sure that this wasn't a master stroke by SCO to establish some case law in favor of all the things they appeared to be attempting to tear down?
Re: (Score:2)
That reminds me of cases in the Good Wife, except they wisely limited their law humour scripts to half retard, whereas what you describe goes full retard.
Re: (Score:2)
What, exactly, does this have to do with TFA?
Re: (Score:2)
From what I've seen, IBM wants to pull away from AIX because they know that the POWER8 market is shrinking, and so is AIX. This isn't to say that AIX is bad -- it is arguably extremely secure and mature, just like Solaris. However, the market in general is moving from Big Iron to x86-64, to VMs, to cloud based VMs, to serverless services (AWS Lambda), and from pets to cattle, where backups basic redundancy are viewed as a bother [1] and not an official need.
IBM isn't dumb. Softlayer OpenStack will be an
Re: (Score:2)
I really enjoyed shooting old hard drives containing Netmare 2 back in the day.
Re: (Score:1)
it's pretty simple, poors want free stuff and they want to be recognized for their frugality
so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job
now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux. poor Linux "admins" can't have that, it takes away the gravy train in favor of professionals so... it all makes sense when you think about the idiot poors that are trying hard to be real IT pros.
this also explains why stories like databases with no admin password exposed to the internet getting hacked become news.
Bullshit. If you are poor the machines you can buy come with Windows in the price tag. Linux machines are virtually always higher priced because the manufacturers don't get paid to install all the crapware/trial ware on the system. People who use Linux do so because they WANT to. They use Windows because it comes with the system and it is what they know already.
Re: (Score:2)
> so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job
For a "janitor job" it pays extremely well - certainly better than your mop janitor job. ;)
> now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux
Linux != UNIX. It never was, an
Re: (Score:1)
Let's be honest, it's an open secret that the Linux kernel contains large sections of copyrighted code from SCO UNIX. For those familiar with both collections of source code, it was generally assumed that SCO would win their lawsuit, and simply a question of what the fallout would be. Although dismissed out of hand by IBM and members of the open source community who were constantly moving the goalposts, SCO did provide a comprehensive list of source files and line numbers in Linux that matched portions of SCO UNIX. The fact is, SCO's claims of copyright violations by Linux developers and users were valid, factual, and completely legal. To this day, the Linux kernel contains large sections of copyrighted code that came straight from SCO UNIX. The open source community generally is vocal in favoring the "little guy" against large corporations like Microsoft and Google, whose motives and actions are frequently called into question. It's bemoaned that the so-called little guy is unlikely to stand a chance against the massive and well-funded legal teams retained by large corporations. This is for good reason, that everyone should be entitled to the same rights, regardless of their ability to afford top notch legal teams. SCO was the little guy compared to IBM, a small company with limited resources simply trying to ensure their copyrights were protected. IBM squashed them like a bug, not because the lawsuit was invalid. In fact, SCO's claims of copyright infringement are generally accepted as mostly correct. Rather, IBM had the legal resources to draw out legal battles and win a war of attrition against SCO, no matter the validity of the claims. If the open source community truly cares about ensuring the little guy has the same rights as large corporations, they should have been supporting SCO against a behemoth like IBM. To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.
Sorry Jeff but you must have missed the memo. The SCO Group lost all that in court. They didn't have a legal leg to stand on. They are bankrupt with no assets. Have a nice day.
Re: (Score:2)
Behold people, the "big lie" technique at work.
Managed by morons (Score:4, Interesting)
Your database is exposed to the internet and doesn't have a password? How is it you are still employed?
Re: (Score:2)
Yep, in 2017, we expose stuff to the Internet and it is perfectly safe to do so as long as you know what you are doing. In the old days, dedicated physical pipes were viewed as much safer and were commonly used. Then came "virtual physical pipes". Nowadays, very few outfits use real physical dedicated pipes.
Re: (Score:2)
The problem here is that the "virtual idiots" responsible for systems administration have been replaced by "complete idiots". Not having a password on a database, even if it is not exposed to anything is extremely foolish, and comparable to leaving fivers lying around on the floor. Sure leaving them on you bedroom floor is more secure than leaving them on the pavement in the high street, but if you wish to keep them, "on the floor" is not the place for banknotes. If you don't know th
Re: (Score:2)
Nice to meet you Anne.
Re: (Score:2)
First, secure by default is a requirement. Always prompt for a strong user specified password by default. Most people take the path of least resistance when installing and configuring software, so this will drastically reduce instances of network exposed services that lack creds or have documented default creds. Second, if insecure features must be enabled e.g. anonymous access is required in some legitimate use cases, bury such settings deep
Re: (Score:2)
I wouldn't blame the devs. They know where the money is buttered, and that is placating people who scream the loudest, which tends to be marketing and sales. A sales guy clenches a new contract, but told the customer the product has "xxx" feature. It really doesn't, so dev has to cough that feature up ASAP or else the sale gets lost. Management looks at security and the time it takes to do it right versus cur corners, sees that it doesn't bring any revenue, and tells the dev staff that security can be s
Re: (Score:2)
Re: (Score:2)
I would agree here. F/OSS tends to be about "scratching an itch", but I would say developers of a lot of projects have pride in their work and go above and beyond the call of duty. One example is Borg Backup, which I've been following. Even though nobody is funding the project, it is active and has matured a lot from the Attic fork it once was. This type of code quality where even attacks in theory are fixed is pretty much nonexistent in the private sector for the most part.
Re:Managed by morons (Score:4, Interesting)
Your database is exposed to the internet and doesn't have a password? How is it you are still employed?
This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.
Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.
Re: Managed by morons (Score:3)
Just because a project is open source doesn't mean everyone can contribute to it. MongoDB has been rife with issues since the beginning, the company behind it is only interested in selling its subscription technical service and has a culture that doesn't accept anything that isn't the "Mongo" way or would interfere in the commercialization of its platform kind of like Poettering on steroids.
Re: (Score:2)
The ironic thing is that you don't have to run MongoDB to get MongoDB functionality. PostgreSQL can do the same thing, except it has a proven track record of security.
The real question... why bother with MongoDB at all, unless something like Splunk requires it? There are better solutions available, both F/OSS and non.
Re: (Score:2)
Some years ago I had a customer passed to me that wanted to know what kind of hoops they needed to jump through to get a Mongo DB approved for our network. No one I knew had ever even heard of it and after about 45 minutes of googling we had to just tell them it would likely never get approved. Getting a big name RDBMS that is actually engineered towards being secure approved is enough of a headache once the developers have had their way with it, Mongo was basically out of the question.
Re: (Score:2)
No traditional RDBMS is "secured by default". You have absolutely no clue what you are talking about. That said, in my experience the only people even more arrogant and stupid in the DB world than the "No SQL" crowd are the traditional RDBMS people.
Re: (Score:2)
Re: (Score:2)
Well, I agree that good security habits may be far less known and followed in the NoSQL-crowd, because they are "hip" and "dynamic" and often inexperienced in server system configuration and management. Also, because all these mistakes _have_ been made with RDBM Systems in the past, they are less likely to be insecure by default, but it still is a risk and you need to check.
In the best case, hardening just involves checks and you find everything is fine. It still needs to be done and sometimes you find inse
Re: (Score:3)
Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.
If they were the price would be set higher.
Re: (Score:3)
There's a third possibility: c) database is (semi)critical, but the person/manager who made/approved it was too cheap to pay a real database administrator to help with the original setup and configuration.
Most engineering professions where lives or large dollar amounts are at risk (civil engineering, structural engineering, many forms of mechanical engineering) require the perso
Re: (Score:2)
I worked in software/electrical engineering for 10 years, then took a look at maybe getting my PE license in electrical - it's a whole different mindset in the PE world, one that software would benefit from, but will take decades to adapt. The people who should be PEs in software are too valuable to industry right now to be bothered with such things. Industry would really be serving itself if they pushed for a PE type of licensing to be instituted, but "learn Java in 21 days" software schools don't even c
Re: (Score:2)
My 13 year old nephews know full well what they can do with a database that is not secured, thank you.
Beware: We may not be the only family to teach 11 year olds SQL.
Re: (Score:2)
Beware: We may not be the only family to teach 11 year olds SQL.
Harsh. Back in my day we got a spanking and were sent to our room.
Re: (Score:2)
200,000 patient records sounds like they might be important to somebody...
Re: (Score:2)
Except this clearly wasn't a targetted attack. So we're down to 1 person losing their job and 1799 people going *sigh* followed by *meh* followed by just nuking their crappy database from orbit.
Re: (Score:2)
As many breaches are inside jobs exposure to the internet is not even a valid criteria. No DB should ever have open security by default. See Postgresql for a much better model.
Re: (Score:2)
Yes, my machine IS 192.168.1.1 you insensitive clod!
Re:Managed by morons (Score:5, Interesting)
I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
If that's what actually happened, the Mongo project has some explaining to do
Re: (Score:3)
I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
If that's what actually happened, the Mongo project has some explaining to do
Wow. If that's true that's the most mindblowingly insane thing I've ever heard about Mongo. I avoid it because of a host of other issues, but if they actively screwed installs - and any of those users have support contracts with MongoDB Inc - it could well spell the end of the company. Can't find anything on the webs about it, so if you do stumble across any details I'd be interested to see them.
Re: (Score:2)
I can't confirm if this is true, as I have a Mongodb with no password (and so upgrades didn't remove anything). My difference is that (a) it's only accessible through localhost, and (b) if any remote clients ever want to use it, they'll do so through an stunnel, which will only accept connections from the known IPs of the clients that should be connecting. In my book, even opening up a properly secured database to the Internet is unnecessary - just open it up to the IPs that need it.
If you're wondering, we
Re: (Score:1)
It's China. Really, regular IT people (not the government's hackers) here are notoriously clueless about security. I've encountered various systems in the last years here in China that ran with no passwords or default passwords, because some underpaid drone didn't care to do some extra work. Favorite Chinese passwords? qwerty, 12345, companynameCURRENTYEAR, some patterns you can type on your keyboard like 147896. Security through obscurity is also a favorite concept.
Re: (Score:2)
Simple: Morons in IT are far-cheaper salary-wise than people with a clue. And morons in management are too stupid to see that these people cost extremely much more overall than people with a clue. This is why such gross stupidity happens all the time in modern IT.
I imagine this is how things were done in the Roman Empire, right before it collapsed...
$200 (Score:3)
... asking for 0.2 Bitcoin ($200) ransom
That seems like a modest ransom. At least he isn't greedy.
Re:$200 (Score:4, Interesting)
Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.
Re: (Score:2)
We also don't know what the healthcare organisation used it for. It could just be an admin's experimental project, and contain literally nothing of interest to anyone. Less likely is that it contains any actual medical information for identifiable people.
Re: (Score:2)
How do he get rich! Volume! As well as the attitude of "let's just pay it it's so small". Factor in that it might even be a misdemeanor in some places. And we do not even know how many places were hit. Overall a clever strategy.
Clearly... (Score:5, Funny)
Re:Clearly... (Score:4, Funny)
The lack of admin password is the secret sauce.
Re: (Score:2)
It does have a password, but it stores it in /dev/null for higher performance.
Too bad there's no CVE for retarded admins (Score:1)
If there was a CVE assigned for every stupid mongodb admin, they'd have blown Android out of the water.
You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!
Re: (Score:2)
Opening your mongodb to the internet does NOT make it webscale!
True, 1800 attacks isn't quite webscale yet! I'd add two more zeros.
Russians (Score:2, Funny)
Those pesky Russians are at it again.
Re: (Score:2)
That's what he said.
Who do you think the "and friends" are?
Nuke, upgrade, and restore from backups (Score:2)
Re:Nuke, upgrade, and restore from backups (Score:5, Insightful)
You think that someone who didn't bother setting an admin password for an Internet facing database bothered to configure backups for it?
Re:Nuke, upgrade, and restore from backups (Score:5, Interesting)
they backed up to /dev/null because it was web scale.
Re: (Score:2)
Re: (Score:2)
Wow, someone who wants to race to the bottom even quicker. Then again, what can you expect from an AC?
Technically if they had configured the security there wouldn't be a problem.
Provably false, because it is impossible to anticipate every security problem, especially since you're trying to hit a moving target. Never been done, can't be done within the heat death of the universe.
Web enabled is inevitable
Only if you're someone who wants to really screw over users, with things like all-time connections required, downloadable content, adware, etc. Local networks did just fine for a LONG time for all sorts of
Personally I blame... (Score:2)
The idiot developers that want everything in [ insert the name of your currently favorite dev language here ] including security!
They all want a single, or better yet, no username and password on the db in question! When will the developers EVER learn, anything
Re: (Score:2)
This is one big reason I have come to hate IT and developers. The same stupid mistakes over and over again. And when you flag it you get a an attitude of "u r old sk3w1", "you don't get it", etc.
And in at least 2 cases I tried to warn them and when the fecal material impacted the rotary air circulation device guess who got blamed? The guy who tried to stop them. As if I had somehow jinxed them by trying to help them.
Biker war ? (Score:1)
The Mongols motorcycle club have been at war with the Hells Angels for years. This might be an attempt at attacking their members.
Heads should roll for this (Score:2)
This is equivalent to the facilities guy at work installing new doors with no locks and then a thief putting locks on all the doors with a note to pay him $200 to get the keys to the new locks; it is almost a public service in this case. Heads should roll for this stupidity, though most at the executive level have such a poor understanding of good security practices who knows.
Mongo is Ransom Scale (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Even easier with Elasticsearch (Score:2)
This is the result of poor decision making, but a hack like this is even easier with Elasticsearch.
Unless you pay for a license, Elasticsearch doesn't even offer something as simple as user/password authentication.
Seriously.
Re: (Score:2)
It is a reflection of the software development methodology in general. MongoDB is supposed to be fast... like taking a car, yanking all the seats, the windows, the doors, the hood and trunk, all but one brake pad, and saying that it is a performance monster. Of course, the fact that it has been rendered worthless for tasks that need audibility and security is beside the point.