News broke this morning that ransom attacks on MongoDB databases revamped over the weekend after an apparent pause. According to the security researchers Dylan Katz and Victor Gevers, three new groups appeared on the threat landscape and hijacked over 26,000 servers. One of them, in particular, is responsible for hijacking 22,000 machines. Security experts commented below.
Tony Rowan, Chief Security Consultant at SentinelOne:
“In many cases, the data stored and accessed in these MongoDB databases is going to be the lifeblood of the business so attack groups are going to continue to go after them, especially if the data owners fail to protect that data effectively. As we saw in the previous occurrences, this attack proves fruitful from the perspective of collecting ransoms. I suspect a common failing is the hope that many organisations depend on – “We’re not a target. It will never happen to us.” That’s not the World we live in though and the truth of it is that every organisation that is connected to networks is a potential victim in mass targetting.
The only thing that stops them becoming a viable target is the application of a truly effective risk management strategy that encompasses a layered approach to all aspects of security. From vulnerability management, through active endpoint security and all the way through to the application of threat intelligence and effective tested fast response strategies. These are the approaches that make the difference between minor incidents and becoming front page news.”
Kyle Wilhoit, Senior Cybersecurity Threat Researcher at DomainTools:
“The involvement of new attackers suggests that the initial ‘vulnerabilities’ that allowed the January attack on MongoDB to flourish are still being exploited. Users that are leveraging MongoDB in their environments should change all default settings when installed. Additionally, users using MongoDB (regardless of where deployed) should perform regular health checks on their server’s services- ensuring all applications are patched and any superfluous services are shut off. This will help prevent the kinds of ‘drive-by’ attacks we are seeing against these default MongoDB installs.”