Last week ZDnet reported on a hack affecting 23,000 databases using MongoDB. The hacker, or possibly multiple hackers, ran scripts to automate access to misconfigured databases. In total, ZDnet reported that they hit 47% of open online MongoDBs. This attack likely started around April of this year, but others use the same techniques to attack open mongo databases all the time.
In this case they left a ransom note extorting the owners for bitcoin. In the note, they stated that if they don’t pay, then they will not only delete the data but also create a GDPR compliant.
“All your data is a backed up. You must pay 0.015 BTC to 1MqHUrV5u1h3QoiSifkw4s9QYFJX4gjkn7 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: [email protected]”
We believe this group won’t have the resources to properly make a GDRP complaint for every company since they would likely spend weeks or even months to fill out all 23,000 complaints. However, the loss of data to the hackers endangers the users who trusted these companies with their data.
Many database admins cringe at the thought of a data breach but you can easily and cheaply keep the integrity of the data with a back-up. Keeping the data out of the hands of hackers creates a more difficult problem. You can mitigate the risk with a strong passphrase, patching the management server OS, and patching the database software. Having additional protection like IPS (Intrusion Prevention Service) will also help prevent attacks. WatchGuard has multiple signatures for MongoDB vulnerabilities in the IPS signature set. Placing this in front of the database will add additional protections. These protections, when properly implemented, will stop almost all breaches.
Not having your database/DB server reachable on the public Internet is the best and most basic first step to take.
Trevor Collins says
Agreed, though this relates to the way users access the database that’s normally outside the control of a database admin.
Trevor Collins says
You are correct, admins should encrypt the database. Encryption of the database will prevent direct access to the database in case of a lost hard drive or similar situation.