Unsecured MongoDBs taken hostage
I've aquired the portion of the log related to the hostage taking, posted below. In particular this log shows that __no__ backup of the data was taken. So please don't pay any money!
------------------------------------------
Although my colleagues and I have already pointed out the issue of open-by-default databases in spring 2015 (look at the references), today it seems for the astonishingly first(?) time somebody took the opportunity to erase hundreds of MongoDBs leaving only this Message:
{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "harak1r1@sigaint.org", "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }
Well played, system admins.
Updates:
The price for the data seems to equate to about 200 USD currently. Thanks, wereHamster.
This has been going on since at least yesterday (https://twitter.com/achillean/status/816385533538631680). Thanks, NietTim.
There have already been transactions by presumed victims: https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq . Thanks, anondon.
Please read the official security checklist by MongoDB! In particular, use passwords and don't expose on all interfaces (duh!)! https://docs.mongodb.com/manual/administration/security-checklist/
Sources/References:
The Jan '15 info paper of which I am one of the authors: https://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf
(Jan '17) http://www.csoonline.com/article/3154190/security/exposed-mongodb-installs-being-erased-held-for-ransom.html
http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/
(German) https://www.heise.de/newsticker/meldung/Eindringling-nimmt-offenbar-MongoDB-Datenbanken-als-Geisel-3587479.html
65 comments
[ 2.6 ms ] story [ 120 ms ] threadLooks like the guy pulled off these blackmailing/hostage tricks before as well.
Not to pile on to the already tense situation, would you be open to sharing how this happened, what the database contained etc, sort of like a post mortem without revealing any personally identifiable info.
Some sort of analysis of the purpose of these directly exposed MongoDB instances could be interesting. Are they being used as a backend for JavaScript applications?
I don't see any reason that a database should allow to listen to any address without authentication. There shouldn't be a real world application requiring this.
And this is case in point.
Oh yeah? I dumped over 40TB of data from open MySQL instances. --skip-grant-tables is probably the most common advice for resetting your MySQL root password.
Update: in a different log he used a different server for the attack, suggesting he might be using innocent servers, therefore I removed the log.
I understand why the authentication is disabled by default, but it should fail to start with a DB that has users with roles and stuff.
In my case the database already had some users configured. But because I did't start the server with --auth option, MongoDB ignored all users and allowed everyone to connect.
Situation #1, new database: Start MongoDb without any users, but as soon as the admin user is added, drop all connections and enable authentication
Situation #2, existing database: In MongoDB is started with a database, that has admin user but the authentication is not enabled, fail and exit.
Requested action not taken: mailbox unavailable 550 Invalid recipient
Please don't say "hack" when you've been auto-pwned by something that uses an OWASP TOP-10 to get you. It's carelessness, inexperience, possibly negligence or anything in between. But for sure it is not a hack!
If you left your door unlocked and someone stole your stuff, that's still a robbery.
If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".
Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?
True but hack in this context would be metaphorically closer to "breaking and entering". If your door is open, you've only got the latter half (from an english, not legal definition).
> If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".
I suppose it's a matter of semantics for me. If I use the word "hack" I'd expect a bare level of finesse to get past some defense or prevention system.
> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?
Not in my book. They're all terrible decisions but then again anything that involves "Using X without understanding the implications of the default set up of X" tends to be a terrible decision.
I agree that if you leave your door unlocked, it's a robbery but it's not a heist. Likewise, if you leave your database publicly accessible, it's extortion through technical means but it's not hacking.
> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?
Yes. A service that is configured to be publicly accessible is very different to a service that requires active exploitation. Misconfiguring MongoDB is more like making your Wordpress admin page the home page and removing all login requirements.
(Note: I have no idea how exactly mongo implements deletion.)
> I don't have any :(
You're aware those two statements conflict with each other yeah? :(
https://blog.shodan.io/its-the-data-stupid/
Note that MongoDB listens on localhost unless changed by the user or the developer is using an insecure image.