Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bitcoin Databases Privacy Security The Almighty Buck Technology

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com) 115

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.
This discussion has been archived. No new comments can be posted.

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker

Comments Filter:
  • lol (Score:4, Insightful)

    by Anonymous Coward on Wednesday January 04, 2017 @06:54PM (#53607127)

    a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

    • Re:lol (Score:4, Funny)

      by Mr D from 63 ( 3395377 ) on Wednesday January 04, 2017 @07:54PM (#53607453)

      a passwordless admin interface exposed to the internet?

      It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.

      • by gtall ( 79522 )

        Hey Vlad, things getting a bit boring around Thug Central and yer former KGB buddies?

    • by ls671 ( 1122017 )

      a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

      Irrelevant, the important thing is that it scales.

    • one which hit a prominent U.S. healthcare organization

      passwordless access to medical records? OMFG!

      • one which hit a prominent U.S. healthcare organization

        passwordless access to medical records? OMFG!

        * fixing my own post

    • I don't usually say people deserve to have bad things happen to them, but this is going to be an exception.

      An admin leaving a database with direct connectivity to the internet is bad enough---borderline negligence, in my opinion. But a blank admin password?

      That's like walking down the street with $100 bills bulging out of your pockets on the bad side of town.

      It's not just stupidity---most stupid people don't even do things that stupid.

      It's too bad IT doesn't require professional licenses like doctors and la

  • Managed by morons (Score:4, Interesting)

    by rossz ( 67331 ) <<ten.rekibkeeg> <ta> <ergo>> on Wednesday January 04, 2017 @06:55PM (#53607137) Homepage Journal

    Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

    • Re:Managed by morons (Score:4, Interesting)

      by anchovy_chekov ( 1935296 ) on Wednesday January 04, 2017 @07:17PM (#53607249)

      Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

      This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.

      Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.

      • Some years ago I had a customer passed to me that wanted to know what kind of hoops they needed to jump through to get a Mongo DB approved for our network. No one I knew had ever even heard of it and after about 45 minutes of googling we had to just tell them it would likely never get approved. Getting a big name RDBMS that is actually engineered towards being secure approved is enough of a headache once the developers have had their way with it, Mongo was basically out of the question.

      • by gweihir ( 88907 )

        No traditional RDBMS is "secured by default". You have absolutely no clue what you are talking about. That said, in my experience the only people even more arrogant and stupid in the DB world than the "No SQL" crowd are the traditional RDBMS people.

        • Our experiences may differ here. Depending on the package manager you're using, Postgres (as an example) typically won't even allow remote access until you explicitly enable it. And usually the user associated with the base schema has at least a password. There are exceptions I realise. I guess it's part of the culture. If you've grown up with old school database systems it's almost second nature to check the security model, whereas NoSQL fans I've worked with seem to be happy that things have installed (an
          • by gweihir ( 88907 )

            Well, I agree that good security habits may be far less known and followed in the NoSQL-crowd, because they are "hip" and "dynamic" and often inexperienced in server system configuration and management. Also, because all these mistakes _have_ been made with RDBM Systems in the past, they are less likely to be insecure by default, but it still is a risk and you need to check.

            In the best case, hardening just involves checks and you find everything is fine. It still needs to be done and sometimes you find inse

    • Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.

      If they were the price would be set higher.

      • Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.

        There's a third possibility: c) database is (semi)critical, but the person/manager who made/approved it was too cheap to pay a real database administrator to help with the original setup and configuration.

        Most engineering professions where lives or large dollar amounts are at risk (civil engineering, structural engineering, many forms of mechanical engineering) require the perso

        • I worked in software/electrical engineering for 10 years, then took a look at maybe getting my PE license in electrical - it's a whole different mindset in the PE world, one that software would benefit from, but will take decades to adapt. The people who should be PEs in software are too valuable to industry right now to be bothered with such things. Industry would really be serving itself if they pushed for a PE type of licensing to be instituted, but "learn Java in 21 days" software schools don't even c

        • you can get your 13 year old nephew

          My 13 year old nephews know full well what they can do with a database that is not secured, thank you.

          Beware: We may not be the only family to teach 11 year olds SQL.

          • Beware: We may not be the only family to teach 11 year olds SQL.

            Harsh. Back in my day we got a spanking and were sent to our room.

      • 200,000 patient records sounds like they might be important to somebody...

        • Except this clearly wasn't a targetted attack. So we're down to 1 person losing their job and 1799 people going *sigh* followed by *meh* followed by just nuking their crappy database from orbit.

    • Re:Managed by morons (Score:5, Interesting)

      by tomhath ( 637240 ) on Wednesday January 04, 2017 @07:36PM (#53607347)

      I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

      If that's what actually happened, the Mongo project has some explaining to do

      • I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

        If that's what actually happened, the Mongo project has some explaining to do

        Wow. If that's true that's the most mindblowingly insane thing I've ever heard about Mongo. I avoid it because of a host of other issues, but if they actively screwed installs - and any of those users have support contracts with MongoDB Inc - it could well spell the end of the company. Can't find anything on the webs about it, so if you do stumble across any details I'd be interested to see them.

        • I can't confirm if this is true, as I have a Mongodb with no password (and so upgrades didn't remove anything). My difference is that (a) it's only accessible through localhost, and (b) if any remote clients ever want to use it, they'll do so through an stunnel, which will only accept connections from the known IPs of the clients that should be connecting. In my book, even opening up a properly secured database to the Internet is unnecessary - just open it up to the IPs that need it.

          If you're wondering, we

    • It's China. Really, regular IT people (not the government's hackers) here are notoriously clueless about security. I've encountered various systems in the last years here in China that ran with no passwords or default passwords, because some underpaid drone didn't care to do some extra work. Favorite Chinese passwords? qwerty, 12345, companynameCURRENTYEAR, some patterns you can type on your keyboard like 147896. Security through obscurity is also a favorite concept.

    • by gweihir ( 88907 )

      Simple: Morons in IT are far-cheaper salary-wise than people with a clue. And morons in management are too stupid to see that these people cost extremely much more overall than people with a clue. This is why such gross stupidity happens all the time in modern IT.

      I imagine this is how things were done in the Roman Empire, right before it collapsed...

  • by ShanghaiBill ( 739463 ) on Wednesday January 04, 2017 @06:56PM (#53607147)

    ... asking for 0.2 Bitcoin ($200) ransom

    That seems like a modest ransom. At least he isn't greedy.

    • Re:$200 (Score:4, Interesting)

      by thegarbz ( 1787294 ) on Wednesday January 04, 2017 @07:16PM (#53607247)

      Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.

      • We also don't know what the healthcare organisation used it for. It could just be an admin's experimental project, and contain literally nothing of interest to anyone. Less likely is that it contains any actual medical information for identifiable people.

    • by plopez ( 54068 )

      How do he get rich! Volume! As well as the attitude of "let's just pay it it's so small". Factor in that it might even be a misdemeanor in some places. And we do not even know how many places were hit. Overall a clever strategy.

  • Clearly... (Score:5, Funny)

    by QRDeNameland ( 873957 ) on Wednesday January 04, 2017 @06:56PM (#53607149)
    MongoDB attacks are Web Scale.
  • by Anonymous Coward

    If there was a CVE assigned for every stupid mongodb admin, they'd have blown Android out of the water.

    You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!

    • Opening your mongodb to the internet does NOT make it webscale!

      True, 1800 attacks isn't quite webscale yet! I'd add two more zeros.

  • Russians (Score:2, Funny)

    by Ant2 ( 252143 )

    Those pesky Russians are at it again.

  • Fuck these ransom guys. Keeping good backups is a little bit of extra work, but at least you have the option to restore, even if you've been hacked because of gross negligence / shameful ignorance / plain stupidity like this.
  • The idiot developers that want everything in [ insert the name of your currently favorite dev language here ] including security!

    They all want a single, or better yet, no username and password on the db in question! When will the developers EVER learn, anything

    • by plopez ( 54068 )

      This is one big reason I have come to hate IT and developers. The same stupid mistakes over and over again. And when you flag it you get a an attitude of "u r old sk3w1", "you don't get it", etc.

      And in at least 2 cases I tried to warn them and when the fecal material impacted the rotary air circulation device guess who got blamed? The guy who tried to stop them. As if I had somehow jinxed them by trying to help them.

  • by Anonymous Coward

    The Mongols motorcycle club have been at war with the Hells Angels for years. This might be an attempt at attacking their members.

  • This is equivalent to the facilities guy at work installing new doors with no locks and then a thief putting locks on all the doors with a note to pay him $200 to get the keys to the new locks; it is almost a public service in this case. Heads should roll for this stupidity, though most at the executive level have such a poor understanding of good security practices who knows.

  • This is the result of poor decision making, but a hack like this is even easier with Elasticsearch.

    Unless you pay for a license, Elasticsearch doesn't even offer something as simple as user/password authentication.

    Seriously.

Unix will self-destruct in five seconds... 4... 3... 2... 1...

Working...