MongoDB Ransomware?
There's been some recent news about hackers holding MongoDB data for ransom in bitcoins, but what does such a hack actually require or look like?
by
Join the DZone community and get the full member experience.
Join For FreeIn this blog post, we’ll look at some of the concerns recently seen around MongoDB ransomware and security issues.
Security blogs and magazines have recently been aflutter with the news that a hacker is stealing data from MongoDB instantiations and demanding bitcoins to get the data back. This sounds pretty bad at first glance, but let’s examine the facts.
The hacker needs a few things to pull this off:
- MongoDB is running on default ports
- MongoDB is not using authentication
- MongoDB is accessible on the Internet with no security groups or firewalls
If this sounds familiar, you might remember a similar flurry occurred last year when people counted the number of open MongoDB installs on the web. That required these same conditions to all be true. This also means the solution is the same: you simply need to make sure you follow the normal security practices of locking down ports and using authentication. Not so scary after all, right?
What Does This Hack Look Like?
Finding out if this happened is simple: your data is removed and gone! In its place, you will find a “WARNING” database, which holds a “WARNING” collection. This collection has a document that looks like:
{
"_id" : ObjectId("5859a0370b8e49f123fcc7da"),
"mail" : "harak1r1@sigaint.org",
"note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }To fix this, hopefully, you have backups. If you don’t, you might want to look at https://www.percona.com/blog/2016/07/25/mongodb-consistent-backups/ on how to get consistent backups. If not, you will need to send the hackers the 0.2 bitcoins (~200 USD) to get your data back.
So, backup!
But this brings us to the real question: can you be hijacked? It’s pretty easy to check:
rs1:PRIMARY>
if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled")
{
print("Auth not enabled!")
}
else
{
print("Your safe!")
}
Auth not enabled!rs1:PRIMARY> db.adminCommand('getCmdLineOpts').parsed.net.port 27001The last part is a bit harder if the other two are both false. You will need to spin up a server outside of your environment and test the connection. I suggest an Amazon EC2 Micro instance (it’s very inexpensive – free if you use a new account). It’s simple to install a MongoDB client on. Check your setup:
- Login to Amazon and launch an EC2 node.
- Open a shell to this node (this can be done via their website).
- Get MongoDB’s binaries:
wget -q --show-progress https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-amazon-3.4.1.tgz gzip -d mongodb-linux-x86_64-amazon-3.4.1.tgz tar xf mongodb-linux-x86_64-amazon-3.4.1.tar -C 3.4 --strip-components=1./3.4/bin/mongo --host <your_host_name> --port <your_mongod_port>If this connects, and you can run “db.serverStatus()”, you are at risk and should enable authentication ASAP!
We will have a blog out shortly on the particulars of creating a user. To enable authentication, you simply need to add “–auth” to your startup, or the following to your YAML config file:
security:
authorization:1This should get you started on correctly protecting yourself against MongoDB ransomware (and other security threats).
Published at DZone with permission of David Murphy, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments