MongoDB: The case for not paying the database hijackers
MongoDB: The case for not paying the database hijackers

Thousands of MongoDB databases held for ransom

In the last weeks, it's come to light that thousands of MongoDB databases have been hijacked.  At last count, there have been over 30,000 databases being held for ransom.  The various people responsible for the hijackings are accepting payment through bitcoin.  You shouldn't pay!

What is MongoDB?

MongoDB is a type of database that uses a language known as ‘NoSQL'.  Basically, instead of a bunch of tables, which typical databases have, they use JSON-like documents to store information.  Doing it this way is supposed to make the process of retrieving information much faster and lowers the overhead of the database schema overall.  I've yet to be sold, but then again, I don't use MongoDB.

How the hijack happens

Believe it or not, the hijack happens quite easily.  In fact, I wouldn't even consider the attack itself a type of hacking because the attacker doesn't actually have to ‘hack' anything.  The issue itself lies with the database administrator and their inability to secure their database. 

This is the same as putting an unlocked filing cabinet filled with information in the middle of Time Square.

Anyone can easily find MongoDB databases available on the Internet using simple tools like Shodan (https://www.shodan.io).  Shodan does all the heavy lifting, which is why so many of us in the information security community call it ‘Google for hackers'. 

Here's a simple search that I did on Shodan to list over 48,000 publicly accessible MongoDB servers: product:MongoDB

I took a random result to use as my example and decided to check it out.  Sure enough, absolutely no authentication existed.  Keep in mind, I haven't hacked anything.  Databases are meant to serve information to web applications, so my request comes across no differently than someone else's that's legitimately trying to get information: 

We can see here that whatever database this server used to have is no longer there.  Instead, it's replaced with one called ‘PLEASE READ'. 

Taking a look at the contents of PLEASE_READ only shows one JSON-document which tells us that the real database has been backed up somewhere else and if we want it back we need to send Bitcoins and email the hijackers.

Why you shouldn't pay

There's a glaring problem here.  Did you spot it?  Both the hijackers and I logged in without an issue to this database, who else did?  Is this ‘kraken@india.com' email address even the original hijacker?  They're only asking for 0.1 BTC, which is about $78 USD, very different from the original hijackers ask of nearly 1.0 BTC or $800 USD.  I think this person is a copycat.

If I wanted to ride someone else's coat tails, here's what I would do: change the record in the database to reference my Bitcoin wallet:

Which is exactly what I did to prove me point.  Don't worry, I reverted it back to its original state so this poor database owner knows who to contact to possibly get their database back. 

Think about what just happened here.  Someone else has hijacked this person's database and left a message.  Then someone else came along and changed the message hoping to cash in on someone else's work.  My money's on this guy never getting his database back.

Don't negotiate with terrorists.

The US government doesn't do it, so why should you?  You back your database up frequently if you're a good database administrator.  If not, I venture to say you're out of luck.  Time to let your customers know their data has been compromised and start anew.

Secure your database

Regardless of what type of database is being used, you should secure it as the first step.  Doing simple things, such as making sure that the default accounts aren't in use are very important.  Here are a few other things that you can do to secure your MongoDB database:

●     Check out MongoDB's checklist (https://docs.mongodb.com/manual/administration/security-checklist/)

●     Get the server off of the public Internet!

●     Ensure there is some sort of authentication (not anonymous).

●     Limit remote access ability with network rules

●     Perform frequent security testing on Internet facing devices (http://www.myneo.co)