Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

MongoDB Ransomware?

DZone's Guide to

MongoDB Ransomware?

There's been some recent news about hackers holding MongoDB data for ransom in bitcoins, but what does such a hack actually require or look like?

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In this blog post, we’ll look at some of the concerns recently seen around MongoDB ransomware and security issues.

Security blogs and magazines have recently been aflutter with the news that a hacker is stealing data from MongoDB instantiations and demanding bitcoins to get the data back. This sounds pretty bad at first glance, but let’s examine the facts.

The hacker needs a few things to pull this off:

  1. MongoDB is running on default ports
  2. MongoDB is not using authentication
  3. MongoDB is accessible on the Internet with no security groups or firewalls

If this sounds familiar, you might remember a similar flurry occurred last year when people counted the number of open MongoDB installs on the web. That required these same conditions to all be true. This also means the solution is the same: you simply need to make sure you follow the normal security practices of locking down ports and using authentication. Not so scary after all, right?

What Does This Hack Look Like?

Finding out if this happened is simple: your data is removed and gone! In its place, you will find a “WARNING” database, which holds a “WARNING” collection. This collection has a document that looks like:

{
  "_id" : ObjectId("5859a0370b8e49f123fcc7da"),
    "mail" : "harak1r1@sigaint.org",
      "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }

To fix this, hopefully, you have backups. If you don’t, you might want to look at https://www.percona.com/blog/2016/07/25/mongodb-consistent-backups/ on how to get consistent backups. If not, you will need to send the hackers the 0.2 bitcoins (~200 USD) to get your data back.

So, backup!

But this brings us to the real question: can you be hijacked? It’s pretty easy to check:

  • Do you have authentication on? Try running this command:
  • rs1:PRIMARY> 
      if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled")
      {
        print("Auth not enabled!")
      }
    else
    {
      print("Your safe!")
    } 
    Auth not enabled!
  • Are you running on a non-default port? Simply run this command (if you’re using 27017 or 29017, you’re using a default port):
  • rs1:PRIMARY> db.adminCommand('getCmdLineOpts').parsed.net.port 27001

    The last part is a bit harder if the other two are both false. You will need to spin up a server outside of your environment and test the connection. I suggest an Amazon EC2 Micro instance (it’s very inexpensive – free if you use a new account). It’s simple to install a MongoDB client on. Check your setup:

    1. Login to Amazon and launch an EC2 node.
    2. Open a shell to this node (this can be done via their website).
    3. Get MongoDB’s binaries:
    wget -q --show-progress https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-amazon-3.4.1.tgz gzip -d mongodb-linux-x86_64-amazon-3.4.1.tgz tar xf mongodb-linux-x86_64-amazon-3.4.1.tar -C 3.4 --strip-components=1
  • Try and connect to your MongoDB Server
  • ./3.4/bin/mongo --host <your_host_name> --port <your_mongod_port>

    If this connects, and you can run “db.serverStatus()”, you are at risk and should enable authentication ASAP!

    We will have a blog out shortly on the particulars of creating a user. To enable authentication, you simply need to add “–auth” to your startup, or the following to your YAML config file:

    security:
    authorization:1

    This should get you started on correctly protecting yourself against MongoDB ransomware (and other security threats). 

    Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

    Topics:
    ransomware ,security ,mongodb ,database

    Published at DZone with permission of David Murphy, DZone MVB. See the original article here.

    Opinions expressed by DZone contributors are their own.

    {{ parent.title || parent.header.title}}

    {{ parent.tldr }}

    {{ parent.urlSource.name }}