Thousands of MongoDB Databases Left Exposed Online
The year 2017 began with thousands of MongoDB databases containing personal and regulated data being stolen and possibly deleted from the Internet for good. Extortionists replaced the databases with ransom notes demanding payment for restoring the files. In a matter of days, the number of hijacked databases has risen from hundreds to thousands and by January 11 reached over 32,000.
MongoDB is a popular free open-source NoSQL database platform with a lot of companies worldwide using it to store their data online.
Although the news may be quite shocking, the problem with MongoDB is well known. Researchers found out about the problem a couple of years ago, discovering that it is easy to misconfigure the database and leave the data exposed online, which allows any remote attacker access the database without applying any special hacking software. For example, the default configuration of MongoDB allows any user to have full access to the database, i.e. not only browse and download it, but also to rewrite and delete it. Over the years, several big companies (Verizon Enterprise, MacKeeper, Kreditech, etc.) accidentally published personal data of their customers via incorrectly configured MongoDB databases.
This time non-password-protected MongoDB installations are at target. Organizations that have left their MongoDB databases in the default configuration allowed their databases to be accessed without the need for usernames or passwords or any authentication whatsoever.
This vulnerability affects organizations that are using older versions of the program. In its previous versions MongoDB had unrestricted remote access activated by default. Since the version 3.0 the remote access is disabled by default. But many organizations are still using older versions or didn’t bother to change their configuration settings after installing the newer version, so the unrestricted data access turned on remained unnoticed.
Among the victims facing the problem are two US healthcare providers. Their databases are being held for ransom with medical records of thousands of patients being blocked. The databases contain information such as patients’ names, e-mail addresses, home addresses and highly sensitive details about patients’ medical conditions.
Companies that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized users. Given the number of databases already attacked, failure to do so can result in data being breached, or permanently deleted. It is estimated that there are more than 99,000 organizations that potentially have misconfigured MongoDB databases and, therefore, are at risk.
What are the lessons to be learnt from all this? We offer several crucial steps companies should take to protect their databases. If either of these had been applied timely, the situation described above could have been successfully avoided.
Harden Your Database to the Fullest Extent PossibleDefault settings are not enough. Database software should be updated in a timely fashion and unneeded default services and functions should be turned off or removed. DBAs must also care about making back-ups.
Enforce Secure Authentication to the DatabaseAllowing only authorized users to have access to the database is a basic step to ensure data protection. Strong passwords are a must.
Use a Database FirewallDAF is an essential tool designed to keep data protected. Locating the database server behind a firewall with security rules denying suspicious traffic and not allowing direct client access keeps data safe.
Configure the System FirewallSystem administrators are strongly recommended to use system firewalls (e.g. Netfilter, Ashampoo Firewall, Comodo Firewall, etc.) and configure them to close ports on public interfaces.
If you want to fully protect your MongoDB databases use the following tools from DataSunrise: