This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Candygram for Mongo??

KevinStear1
Employee
Employee
‎2017-01-10 05:23 PM
Over the last several weeks, the security community has bit their collective tongues as they watch thousands of Internet accessible mongoDB instances powned at an alarming rate.  In fact, according to an article published by BLEEPINGCOMPUTER this morning:
 

The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.

According to statistics provided by two security researchers monitoring these attacks, Victor Gevers and Niall Merrigan, this group is behind around nearly 16,000 hijacked databases, which is around 56% of all ransacked MongoDB instances.

The Kraken group got involved in these MongoDB attacks on Friday, January 6, seeing how successful and profitable previous attacks from other groups had been.

   
The vulnerability (and potential ransoming) of thousands of MongoDB instances is based on two common security denominators: authentication/authorization and network access control.  First, MongoDB by default employs no-authentication for read/write access, but there are a number of available and routinely utilized security extensions.  As for networking, accessibility of default port allocations (e.g., 27017-default, 28017-REST) needs to be controlled via basic IT hygiene measures such as iptables and firewalls.
   
These are basic security aspects (that are well documented by MongoDB, https://docs.mongodb.com/v3.4/security/), and yet people continue to deploy Internet facing MongoDB instances with default or improper configurations, leaving themselves extremely vulnerable to elementary attack vectors.  In the case of recent ransomware infections, actors simply connect to the DB, export and drop tables, and then ransom their return for bitcoin.  
  
.mongo-ransom.png
  
NetWitness customers can evaluate their possible exposure to this malicious activity via a simple rule: direction = ‘inbound’ && risk.info  = ‘flags_syn’ && tcp.dstport = ‘27017' *, and everyone using MongoDB instances should ensure that their administrators:
  1. Enable authentication (i.e., start by setting auth = true in in the config file)
  2. Use firewalls to disable remote access by binding local IP addresses and blocking access to port 27017

MongoDB has also released additional specific guidance in response to recent ransomware attacks, which is available at https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data. 

  
  
FirstWatch_banner.png
 
* suggested app rule may differ slightly depending on NetWitness configuration
9 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.