Malware Melts Down MongoDB Implementations

Malware MongoDB Meltdown

Ransomware happens. Sometimes, you do everything you can, and ransomware still gets you. Sometimes you get hit by ransomware so many times that overlapping viruses encrypt each other. This surreal farrago of malware is what happened to several companies who made a common mistake with their MongoDB implementations. By leaving these databases searchable on the internet, they made themselves irresistible targets.

What’s MongoDB? Why are its databases so easy to hack? More importantly, if you’re running MongoDB, how do you batten down the hatches?

MongoDB has Created InfoSec Problems for Years

It’s not news that MongoDB is a popular web database offering. It’s easy to use, but also easy to misuse. Many, many companies have accidentally configured their MongoDB implementations in such a way that you can find them on the internet using a simple search string. You may recall that Verizon Enterprise Solutions—yes, the same branch that publishes the Data Breach Investigations Report—lost a bunch of data last year. That was due to this same problem.

Having a database misconfigured like that wasn’t always a huge deal. In fact, it’s been such a common mistake that there’s now an entire search engine, known as Shodan, which can search for these insecure databases (in addition to unsecured security cameras, industrial control systems, traffic lights, and whatnot). Unfortunately, however, hackers have also discovered that they can use tools like Shodan—and that the contents of these databases are worth a lot to their owners.

A Tidal Wave of Ransomware

This is the part where—if the loss of data weren’t so tragic—the story would become farcical. First, malware authors began to notice the sheer volume of unsecured MongoDB implementations—over 50,000, according to Shodan. Then, they struck. As of January 9th, 12,000 MongoDB servers were infected. The very next day, that number had more than doubled, with an estimated 93 terabytes of data now held hostage.

The situation is now so dire that administrators are facing what amounts to a Russian nesting doll of infections. First one hacker will encrypt a database. Before any of the administrators realize what’s going on, another hacker will have replaced the ransom note on the originally-encrypted database. There are several documented instances of administrators paying one hacker, only to realize that an entirely different bad actor is the one responsible for encrypting their data.

Mongo Just Pawn in Game of Life MongoDB

How Can Companies Protect Themselves?

We hate to say it, but if your MongoDB database is misconfigured, then it’s very likely that your data is already gone. If it’s not, or if you’re just setting up a MongoDB database right now, there is a way to make sure that this doesn’t happen to you.

  • First of all, MongoDB weirdly doesn’t turn on security precautions by default. The organization has made a post with a tutorial about how to secure database implementations, but it’s strange that these protections aren’t automatic.
  • Second of all, make sure your database is behind a firewall. This would seem like common sense advice, but tell that to the 50,000 database owners whose data has just evaporated.
  • Third of all, make sure you’ve employed server protection. While the lack of password protections on these MongoDB servers means that hackers don’t have to log in to encrypt your data, the attackers are using scripts to perform encryption en masse. Some forms of server protection may catch these scripts.

SentinelOne’s server protection platform is designed specifically to catch instances of unauthorized creation, deletion, or encryption of files. Our platform can detect suspicious activity with dynamic behavioral detection and automatically mitigate these actions. In the off chance they aren’t caught right away, it can seamlessly backup and restore these volumes. Configuration is a tricky business, and the price of a mistake shouldn’t be the loss of millions of dollars’ worth of data. For more information on how to prevent malicious activities like these, take a look at this white paper, “Ransomware is here: What You Can Do About it.”