top | item 13317045

Unsecured MongoDBs taken hostage

83 points| xyunknown | 9 years ago

!!! Important Follow-up !!!:

I've aquired the portion of the log related to the hostage taking, posted below. In particular this log shows that __no__ backup of the data was taken. So please don't pay any money!

------------------------------------------

Although my colleagues and I have already pointed out the issue of open-by-default databases in spring 2015 (look at the references), today it seems for the astonishingly first(?) time somebody took the opportunity to erase hundreds of MongoDBs leaving only this Message:

{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "[email protected]", "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }

Well played, system admins.

Updates:

The price for the data seems to equate to about 200 USD currently. Thanks, wereHamster.

This has been going on since at least yesterday (https://twitter.com/achillean/status/816385533538631680). Thanks, NietTim.

There have already been transactions by presumed victims: https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq . Thanks, anondon.

Please read the official security checklist by MongoDB! In particular, use passwords and don't expose on all interfaces (duh!)! https://docs.mongodb.com/manual/administration/security-checklist/

Sources/References:

The Jan '15 info paper of which I am one of the authors: https://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf

(Jan '17) http://www.csoonline.com/article/3154190/security/exposed-mongodb-installs-being-erased-held-for-ransom.html

http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/

(German) https://www.heise.de/newsticker/meldung/Eindringling-nimmt-offenbar-MongoDB-Datenbanken-als-Geisel-3587479.html

64 comments

[+] DyslexicAtheist|9 years ago|reply

"hack" is the wrong word considering we're talking about DB instances exposed to the Internet without access controls.

Please don't say "hack" when you've been auto-pwned by something that uses an OWASP TOP-10 to get you. It's carelessness, inexperience, possibly negligence or anything in between. But for sure it is not a hack!

[+] koolba|9 years ago|reply

Using "hack" to refer to this is like leaving your front door wide open and referring to being robbed as an Ocean's 11 style escapade.

[+] mrweasel|9 years ago|reply

It's fascinating that someone installs and configures MongoDB and doesn't stop to think: "Hey, maybe this shouldn't be exposed directly to the internet". I mean you wouldn't do that with something like MySQL.

Some sort of analysis of the purpose of these directly exposed MongoDB instances could be interesting. Are they being used as a backend for JavaScript applications?

[+] dx034|9 years ago|reply

Many database systems are by default only exposed to localhost, you'd have to specifically change the settings to be able to talk to it from outside. That's at least the case for Postgres and MSSQL, not sure about MySQL.

I don't see any reason that a database should allow to listen to any address without authentication. There shouldn't be a real world application requiring this.

[+] ryanlol|9 years ago|reply

> I mean you wouldn't do that with something like MySQL.

Oh yeah? I dumped over 40TB of data from open MySQL instances. --skip-grant-tables is probably the most common advice for resetting your MySQL root password.

[+] anacrolix|9 years ago|reply

Yeah but webscale apps aren't vulnerable.

[+] SillentTroll|9 years ago|reply

I also have been affected by the same "hack". Turns out I have simply forgot to start mongod with --auth option, even through the I had created users for different databases, including the admin! Looks like in "non secure mode" it allows logins with existing users as well as non-authorized.

I understand why the authentication is disabled by default, but it should fail to start with a DB that has users with roles and stuff.

[+] dx034|9 years ago|reply

Why should it be disabled by default? I don't see a reason why any database system would run without auth. At installation they can always use a local user account if no password is provided.

[+] SillentTroll|9 years ago|reply

An solution for the people like me, that forget the --auth would be:

Situation #1, new database: Start MongoDb without any users, but as soon as the admin user is added, drop all connections and enable authentication

Situation #2, existing database: In MongoDB is started with a database, that has admin user but the authentication is not enabled, fail and exit.

[+] achillean|9 years ago|reply

How did you install MongoDB? I'm asking because by default it should only listen on localhost and I'm trying to understand whether there's a popular package/ repository that has changed that default from localhost to 0.0.0.0

[+] anondon|9 years ago|reply

Look at the btc address history: https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq

Looks like the guy pulled off these blackmailing/hostage tricks before as well.

Not to pile on to the already tense situation, would you be open to sharing how this happened, what the database contained etc, sort of like a post mortem without revealing any personally identifiable info.

[+] xyunknown|9 years ago|reply

I am not affected by this hostage taking. On the contrary, I am one of the authors of the aforementioned info paper from early '15 warning about this kind of stuff. If you want more information about the incident back then, look me up my name is Kai Greshake. The paper linked above also contains all you need to know about why this incident today happened. As a response MongoDB also updated their security guidelines back then, but refused to change the open-default mechanism and easy-to-do-wrong configuration, arguing that it was aconcious design choice.Turns out this was a bad decision, at least in my eyes, as this is not the first related incident, there were many breaches etc. based around open-default databases in the past 2 years, exposing millions of account info, voting data, and industry equipment.

[+] dx034|9 years ago|reply

Shouldn't it be possible to trace the transactions to the point where they were used to pay goods or exchange them for real money?

[+] fauria|9 years ago|reply

MongoDB has a security checklist published, I think it is interesting to review it: https://docs.mongodb.com/manual/administration/security-chec...

[+] xyunknown|9 years ago|reply

Aquired log of such a hostage taking, contains the IP of the hostage taker, but beware it could be obscured by a botnet or similar.

Update: in a different log he used a different server for the attack, suggesting he might be using innocent servers, therefore I removed the log.

[+] xyunknown|9 years ago|reply

Could someone more familiar with MongoDB please confirm that this does not show any backup of data? Maybe MongoDB does not log just looking up data?

[+] sebcat|9 years ago|reply

The IP listed in that log belongs to a DigitalOcean instance.

[+] martinald|9 years ago|reply

Amazed this has taken so long. I think elasticsearch also suffers from this same 'no-auth-by-default' configuration, which is really silly.

[+] Xylakant|9 years ago|reply

Sort of. ES >= 2.0 only binds to localhost by default, so it's at least not by default exposed to the internet. Versions < 2.0 suffer from exactly that flaw: No auth, bind to all ports.

[+] achillean|9 years ago|reply

This has been a known issue for a long time and while I hadn't seen ransomware before these open databases have been attacked previously:

https://blog.shodan.io/its-the-data-stupid/

Note that MongoDB listens on localhost unless changed by the user or the developer is using an insecure image.

[+] NietTim|9 years ago|reply

It's been going on for quite some time already, see: https://twitter.com/achillean/status/816385533538631680

[+] xyunknown|9 years ago|reply

Another log shows that he even connects to the same server twice sometimes, deleting his own message just to re-insert it- That means he doesn't even save which servers he deleted. Such blunt action is remarkable.

[+] kirushik|9 years ago|reply

Or that "he" is an automated distributed system without strong consistency guarantees.

[+] userbinator|9 years ago|reply

It might be entertaining to run a honeypot server that responds with some... unusual data. Does anyone know if the client they're using to do this has any vulnerabilities? ;-)

[+] xyunknown|9 years ago|reply

Shouldn't be hard to get the IP etc, as you can just connect to affected servers and review the global log. Just search for mongoDB on shodan and see for yourself.

[+] rohandighe|9 years ago|reply

Hey Guys, we have been affected by this? What's the course of action that we should take? Data is pretty important to us.

[+] mike-cardwell|9 years ago|reply

Restore from backups.

[+] wereHamster|9 years ago|reply

At the current price, 0.2 BTC is ~200USD.

[+] mathrawka|9 years ago|reply

So he deleted his email address or sigaint removed it:

Requested action not taken: mailbox unavailable 550 Invalid recipient

[+] mike-cardwell|9 years ago|reply

Unsurprising. On their signup page at http://www.sigaintevyh2rzvw.onion/ it says:

  Are there any rules to using this thing? Generally we are 
  pretty chill, all we ask is that you don't use our FREE 
  service to:

  Spam people
  Threaten people
  Harm people

  Everything else is cool with us.

Looks like he broke rules 2 and 3.

[+] tbarbugli|9 years ago|reply

2BTC for such felony does not sound a great deal to me

[+] wereHamster|9 years ago|reply

0.2BTC. But you have to multiply that by the number of open MongoDB installations. Tens of thousands at least. So, 20000*0.2BTC = 4000BTC if everyone pays. That's 4mil USD if everybody pays (not everybody will since many of the installations are personal or just tests running on amazon or other clouds). Still, a lot of money for little risk. BTC is pretty safe if you know what to do.