Beyond Ransomware: MongoDB Attacks Highlight the Challenge of Securing the “Weakest Link”
In insight / By Phil Muncaster / 27 September 2017
Is there such as thing as a cyber ransom attack which doesn’t involve ransomware? Do vendors need to do more to prevent users making basic cybersecurity mistakes? Are IT teams failing to keep pace with a new cloud-first reality?
These are all questions raised by a major new attack campaign targeting customers of open source MongoDB databases around the world. They get to the heart of an age-old challenge for information security professionals: the risk to data and systems posed by careless and negligent employees. It might be time for IT to get serious about addressing this “weakest link” in corporate security.
Ransomware-free ransom attacks
The September attacks on MongoDB installations were a continuation of an earlier round at the end of 2016. Many have been traced back to groups, like the one dubbed “Kraken”, linked to ransomware campaigns. However, this type of attack is different. The hackers scan the internet for any MongoDB instances running on Port 271017 that are exposed. When they detect these, they use a simple script to automatically delete the database and create a similar version with just one record featuring a ransom note. The original data is backed-up to the attacker’s server; the only way to access it is by paying a ransom of BTC 0.15 ($650).
It’s even more straightforward than a ransomware attack, relying simply on poor security practice on the part of the victim organisations. A MongoDB spokesperson confirmed to me that the users that had been affected in this latest round of attacks left their databases exposed to the public internet without passwords. At the time of writing, over 75,000 victims had been discovered according to a Google Docs spreadsheet maintained by researchers Victor Gevers and Dylan Katz.
For many, the data inside those deleted MongoDB instances could be vital to their business.
If the deleted databases contained customers’ personally identifiable information (PII), such incidents would certainly be referred to regulators of the forthcoming EU General Data Protection Regulation (GDPR). From May 2018, it could mean fines of up to £17m or 4% of global annual turnover, whichever is higher. This is more than an IT security issue; it’s something that boardrooms everywhere should be concerned about.
Vendors vs users
This is not an isolated incident. Apart from the attacks on MongoDB customers a few months back, similar raids have been spotted against ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers – once again taking advantage of poor security such as easy-to-guess passwords. We can also see parallels in the proliferation of major data leaks stemming from poorly configured Amazon S3 instances.
Security firms like UpGuard have detailed scores of cases over recent years where huge troves of sensitive data have been exposed to the public internet; often as a result of mistakes made by third party partners. Most recently, Verizon spilled details of at least six million customers; Dow Jones was blamed for leaking data on 2.2m users; and 60,000 US Department of Defense files requiring Top Secret access were exposed after an “unintentional mistake” by a contractor.
So, should vendors be doing more to ensure such mistakes can’t be made? MongoDB’s response to the attacks at the turn of the year was to highlight its security checklist for customers. But some commentators claimed these items should be enabled by default, to improve baseline security. Veracode founder, Chris Wysopal, argued “software with insecure default configuration is broken”.
In a new blog, MongoDB explained that it has since added new security controls, including something known as “localhost binding” which means the database will block any external connections to the public internet by default. That’s been available for all users from version 3.5.7.
The Shadow IT challenge
It’s clear that responsibility in this discussion isn’t all on the vendor side. As Gevers has argued, business customers are often too quick to create new instances without working out how to secure them.
"People are happy to follow a tutorial to install a server, but have no idea what they are doing,” he told The Register, also pointing the finger at DevOps automation which makes it even easier to create new servers without adequate security attached.
The truth is that IT security teams can’t wait for the vendors to act. They have to take the initiative by creating more watertight rules around the creation of cloud infrastructure, and improving cybersecurity education and awareness. It’s no longer a valid strategy to rely on “security-by-obscurity” – hoping attackers can’t be bothered to find your insecure installations. If they’re publicly searchable via the internet, they’re at risk.
This will be a delicate balancing act for IT bosses, given that the business will certainly argue that any undue interference would put a brake on productivity and growth. Yet it’s not unreasonable to create a policy whereby if a user wants to create a new cloud instance, they need to configure/secure it properly, or be blocked by IT. With cloud services proliferating in the enterprise, this “shadow IT” issue needs tackling head on, or firms could be unnecessarily exposing themselves to serious financial loss and reputational damage.
Nasstar's Head of Continual Service Improvement, Steve Peak, comments:
"Ransomware is a serious worldwide issue and has become a major factor when considering security in IT systems. Nasstar lead the way in the market by having deployed the most sophisticated countermeasures available to protect customers against the threat of ransomware.
Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients create a cyber savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.
That’s why as a managed service provider, Nasstar puts a major focus on education and training – of our own staff and those of our clients, in things like Cyber Essentials. Security is present at every layer of our organisation, and it can be in yours too."
For more information contact Steve Peak to find out how Nasstar can protect your services.