The recent wave of ransom attacks on MongoDB databases happened because database owners forgot to set passwords on their administrator accounts, according to Davi Ottenheimer, Senior Director of Product Security at MongoDB, Inc.
“We have been monitoring the situation closely to help investigate and provide assistance,” Ottenheimer wrote in a blog post.
“We’ve reviewed these details to understand where and when users left systems insecure – connected to the Internet with no password on their Administrator account – and who is attacking them,” he said.
Recent wave of MongoDB ransom attacks ruined 26,000 DBs
The recent wave of attacks came to light two weeks ago. Three new actors have been busy taking over MongoDB databases and rewriting their content with ransom demands.
Attackers ruined over 26,000 MongoDB servers, with one group alone being responsible for over 22,000 ransom demands.
This wave of ransom demands came after a period of inactivity from MongoDB ransom groups. At the start of 2017, several groups have held for ransom over 50,000 MongoDB databases.
Victor Gevers, one of the researchers who’s been tracking the attacks, confirmed the findings of the MongoDB investigation to Bleeping Computer earlier today. This puts the blame for this second wave of MongoDB ransom attacks on the shoulders of database owners solely.
MongoDB slowly fixing endemic problem
Problems with MongoDB security started a few years back when some versions of the MongoDB database prior to v2.6.0 came with a default configuration that allowed anyone to access the administrative interface from all network locations, not just localhost. Furthermore, the admin account did not feature a password. This allowed attackers to connect to databases with the user root and no password.
MongoDB Inc. corrected this configuration error shortly after, but by that time, many of those MongoDB versions had been incorporated as part of web server images deployed by some hosting providers such as Amazon.
Eventually, this resulted in hundreds of thousands of servers running older MongoDB versions with insecure default configs.
The January MongoDB ransom attacks contributed to the elimination of most old MongoDB versions, but researchers also discovered that newer DB versions were also being held for ransom just as much as old ones.
Researchers found that database owners were intentionally exposing their systems to the Internet with no password, ignoring all the security best practices for the sake of convenience and ease of access. This appears to have been the case once more with the August-September attacks.
Just like he did in January, Ottenheimer took the opportunity to remind MongoDB server administrators to update their database, or at least secure their database config files.
He advised that server owners use strong passwords for all accounts and prevent users from accessing the administrative interface from the Internet. More details are available in a guide to MongoDB security here.
MongoDB security improvements coming to v3.6.0
Furthermore, MongoDB announced plans to harden the database’s security policies in the upcoming MongoDB 3.6.x release.
“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions,” Ottenheimer says. “This will also be incorporated into our upcoming production-ready 3.6 release.”
“Version 3.6 will solve the biggest issue,” Gevers told Bleeping Computer in a private conversation. “Everyday we are learning more about the attackers and the way they execute their attacks.”
MongoDB also plans to add warnings to the company’s download center and has already incorporated all its recommended security practices in MongoDB Atlas, the company’s MongoDB-as-a-Service offering.