Sign in / up

back to article MongoDB ransom attacks soar, body count hits 27,000 in hours

MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day. Criminals are accessing, copying and deleting data from unpatched or badly-configured databases. Administrators are being charged ransoms to have data returned. Initial …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Had it coming...

    Sometimes some people simply set themselves up to fail. Sure, some of those databases were just for development, and they don't matter. But some have just set themselves up for this kind of outcome.

    I recently quit a company that is so helpless, they are shipping a product on CentOS 5.7, of course with an out-of-date MySQL package. To top it off, they are using the default root password for MySQL, and they "can't" change it because it was hard coded throughout their products. Yes, they also have passwords in plain text.

    What a tremendous amount of "stupid" in one place.

    I can only hope this amount of pain convinces people that certain practices are wholly and totally bad.

    17 0 Reply
    1. Hans 1
      Reply Icon
      Facepalm

      Re: Had it coming...

      >they are shipping a product on CentOS 5.7, of course with an out-of-date MySQL package. To top it off, they are using the default root password for MySQL, and they "can't" change it because it was hard coded throughout their products. Yes, they also have passwords in plain text.

      How do they find customers ? Care to name the shame ? Whistleblower and all that ...

      > and they "can't" change it because it was hard coded throughout their products.

      This also means they do not have a central database connection component in their solution, which probably means "very poorly written code".

      11 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        It also probably mean every connection is made with high privileges...

        ... opening their application to each and every kind of SQL injections.

        But surely it was a test setup which entered production without changes....

        1 0 Reply
      2. Ogi
        Reply Icon

        Re: Had it coming...

        > and they "can't" change it because it was hard coded throughout their products.

        Worst case scenario, have they never heard of find/replace? Specifically "sed" will find replace text across the whole data set. Of course a poor solution compared to doing it properly, but surely better than leaving the default password across every single production "product" they sell.

        > How do they find customers ? Care to name the shame ? Whistleblower and all that ...

        I am actually liking the idea of having some sort of whistleblower type site, where workers can anonymously name and shame company products that are this bad. However you would have to find a way to stop companies falsely bad mouthing each others products on the site, as well as disgruntled ex-workers.

        Saying that, if someone says the app is crap because it uses the default mysql password everywhere, it is easy to test that, so I guess having only "verified problems" listed could possibly work.

        2 0 Reply
      3. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Had it coming...

        How do they find customers ? Care to name the shame ? Whistleblower and all that ...

        This also means they do not have a central database connection component in their solution, which probably means "very poorly written code".

        Finding customers? Plural? I saw their sales figures for the past year, and they found one. Then they decided to revamp their product management, implemented scrum, and went from dumb to dumber. Yes, the product has a lot of poorly written code, and its performance is abysmal. The remaining programmer is competent, but he's planning on leaving soon. No reason to stay.

        The "root" user is "locked down" by limiting the user to local access only. However, the version of SSH is also old, and full of holes. If someone really wanted in, they'd be in.

        It's sort of pointless to blow a whistle on them, as they're going downhill anyways. Amazon has a page about management principles. These guys are those principles' negation.

        0 0 Reply
        1. patrickstar
          Reply Icon

          Re: Had it coming...

          Atleast if it's OpenSSH, you have to go way, way back to find a vulnerability that would actually allow remote access without any credentials. I think the most recent ones were the CRC32 deattack one (all servers with SSH1 enabled were vulnerable) and the integer overflow in PAM-related code (needed some non-standard but common config options). This was around 2001-2002 or so.

          0 0 Reply
    2. patrickstar
      Reply Icon

      Re: Had it coming...

      Well, to be fair, it's not necessarily a huge problem. Atleast if it's an appliance doing one specific thing,.

      Unless the MySQL instance is actually listening for external connections, which would be a problem in itself if it ever saw an untrusted network, even with good authentication...

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Had it coming...

        Mmh, no, even if it is an appliance doing one specific thing (how critical, BTW?), it's still a very bad design which could turn a less critical vulnerability into total havoc - and not only limited to the appliance itself.

        0 0 Reply
        1. patrickstar
          Reply Icon

          Re: Had it coming...

          So what you are basically saying is that noone should be using, say, SQLite for storage?

          Just like this setup, it has no authentication whatsoever and can very well be used in a way that's vulnerable to SQL injection.

          This is mostly an issue when the DB server allows multiple commands in a single query(; EXEC xp_cmdshell , anyone?), which MySQL doesn't (technically maybe you can go out of your way to enable it though).

          Apart from that, the difference between using the root user vs. using a user with full access to all databases (I'll even hazard a guess that it's actually database, singular, in this case) isn't huge.

          I'm not saying this is good practice or anything, just that it falls into the "general sanity, should fix" bucket and not the "gaping security hole, fix yesterday" bucket.

          0 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Had it coming...

      "To top it off, they are using the default root password for MySQL"

      What the hell are the apps doing using the database server admin account in the first place. Database 101 FAIL.

      Secondly, why the fuck are all these databases internet-accessable in the first place. The world clearly learned nothing from SQL-Slammer in the 90s. Idiots.

      "What a tremendous amount of "stupid" in one place."

      Not just one place by the sound of it.

      1 0 Reply
  2. Anonymous Coward
    FAIL

    Something to note.

    By default an AWS instance drops all incoming traffic apart from an established initiated outbound connection (e.g. Do I need updating? Okay accept those incoming files then).

    So in all these case "someone" opened the mongoDB port to accept all connections from any computer rather limiting connections to the application or computers associated with it. Even with the security issues with MongoDB's unpatched db, the only way this has happened is that someone turned off at least part of the default firewall (security group as AWS calls it).

    The scandal is not that this is happening, it's the inevitable consequence when some idiot does something stupid.

    0 0 Reply
    1. David Roberts
      Reply Icon
      WTF?

      Re: Something to note.AWS?

      I didn't see anything in the article to suggest that MongoDB had anything to do with AWS.

      A quick trip over to their web site suggests that the standard implementation is on premises.

      So, AWS?

      1 0 Reply
      1. Korev Silver badge
        Reply Icon

        Re: Something to note.AWS?

        This "attack" needs a web-facing server, so a lot of them will be in $CLOUD.

        2 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Something to note.AWS?

        The original article where the hacker going under the pseudonym Har1k1r1 was targeting AWS instances. (78%)

        http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/

        Even if that were not the case, have a publicly open unfiltered port to any software without the understanding of the implications is just unprofessional.

        3 0 Reply
        1. Doctor Syntax Silver badge
          Reply Icon

          Re: Something to note.AWS?

          "have a publicly open unfiltered port to any software without the understanding of the implications is just unprofessional."

          Were professionals involved or are these cases of Excel and Powerpoint jockeys moving up to the next level?

          1 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    My company uses passwords in text files which are unencrypted. When a customer (finally) questioned this there was great confusion about what to actually do about it and if it would stop happening.

    In our case it was poor leadership which allowed sloppy designers to get away with it. Not sure it'll change with this product, maybe our next..

    3 0 Reply
    1. Dave Pickles
      Reply Icon

      If there *is* a next product...

      2 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Indeed, there was great talk about how secure this one was going to be. Surprise surprise there are gaping holes.

        It does go to show though, that there is an issue with industry accepting poorly written/secured software. We've only had 1 customer out of double figures that picked up and commented on the lack of security.

        Requesting PEN test results before purchasing would be a good way to negate some problems. Responsibility would be on the manufacturer to ensure it is of a good standard before putting it to the market. You'd also have documented tests/results to then use as a baseline to ensure compliance/security/etc.

        3 0 Reply
  4. Christoph
    Joke

    MongoDB only pwned in game of hacking

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Patches? We don't need no steenkin patches!

      Obligatory Blazing saddles quote is obligatory.

      0 0 Reply
  5. Doctor Syntax Silver badge

    Easy come, easy go?

    If large numbers of databases have been pwned and few have paid up what does this tell us about how much the owners valued their Big Data?

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Easy come, easy go?

      That most likely these installations were commissioned band wagon jumpers who were told that big data would revolutionise their business metrics; employed any freelancer that had mongoDB on their c.v. threw all their data at an installation on a cheap AWS instance and then watched as nothing happened.

      This is a scenario where quite possibly in the course of an experiment with "big data", a company may not know what information has been leaked, lost or even looked at the legacy instance in months and hence the general inaction. That the patches for mongoDB have been out for just over a year, that the version most affected is 2.4.9 (when mongo is now at 3.4) all indicate temporary contractors.*

      * information about the hack from the original articles, theory derived from cleaning up this kind of thing multiple times.

      0 0 Reply
  6. Ilsa Loving

    The Wordpress of Databases

    MongoDB is the wordpress of databases. ie: People really wanted a database for their product but didn't actually know what they were doing, so they used something that was easy to hit the ground running with.

    This is now the end result, for the exact same reasons that Wordpress is a security cesspool, and it will never change for pretty much the same reasons. It's not a failing of the technology per se, but the fact that it enabled morons who would ordinarily find burger flipping challenging, to push out software products.

    2 0 Reply
    1. Drew 11
      Reply Icon

      Re: The Wordpress of Databases

      Holy crap, don't get me started on WordPress. What a clusterfuck that is, underneath the "drives 25% of the web" claim. And they wonder why datacentres burn so much carbon?

      I don't know how the developers sleep at night.

      0 0 Reply
    2. cd
      Reply Icon

      Re: The Wordpress of Databases

      That disdain is a primary contributor to the problem. Fix your own car, do you? Could build one on your own? Know how to run a lathe and CNC? Forge metal parts? No problem fixing anything in your domicile that goes wrong? Never need a service call, correct?

      If you need any help with those, you must be less than a burger flipper.

      Many people just want to drive somewhere. Many just want to turn on the heat or take a shower and have it work. And the same with online publishing. Lots of people have very high skills in other aareas besides programming (yes, they exist) and don't care how the web works, they have stuff they want to share or discuss. And the people who could help most shit on them instead.

      So we have Facebook and Wordpress and Flickr and other low-entry crap polluting the web. It's really your fault for not doing better. You are an expert in human interface, correct? Don't need any help with that, I hope. Should be easy then.

      If you think WP is crap, make something better and help the world with your expertise.

      Let us know when it's done. We could use it.

      4 0 Reply
      1. Hans 1
        Reply Icon

        Re: The Wordpress of Databases

        Actually, here, mongodb is like a car, let's assume so ... you have never been in a car on the road, you have merely seen them drive past your porch, you know nothing about road signs, traffic lights etc .... now, you want a car, so you buy one with automatic transmission ... you do not care to read the manual to the car or the national driver's manual, coz car is "automatic" and "easy to drive", so the sales guy told you ... imagine what happens next ?

        If you do not want to learn how to do it prroperly, go pay some cash to someone who does know how to do it properly.

        The big issue is, these 0wned instances might get used as botnets or whatever ... especially if the owner does not pay up ...

        I am all for saying John Doe might be a good mechanic, however, in this case, John has chosen to play dba and there are things you need to learn before setting up a database, and no, quick installation instructions are NOT enough ...

        0 0 Reply
  7. Paul Johnston
    Joke

    Backups anyone

    If you have to pay to get your files back that suggest there is only one copy.

    Perhaps you could secure the problem then restore from backup?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like