News broke this morning that ransom attacks on MongoDB databases revamped over the weekend after an apparent pause. According to the security researchers Dylan Katz and Victor Gevers, three new groups appeared on the threat landscape and hijacked over 26,000 servers. One of them, in particular, is responsible for hijacking 22,000 machines. Security experts commented below.
Tony Rowan, Chief Security Consultant at SentinelOne:
“In many cases, the data stored and accessed in these MongoDB databases is going to be the lifeblood of the business so attack groups are going to continue to go after them, especially if the data owners fail to protect that data effectively. As we saw in the previous occurrences, this attack proves fruitful from the perspective of collecting ransoms. I suspect a common failing is the hope that many organisations depend on – “We’re not a target. It will never happen to us.” That’s not the World we live in though and the truth of it is that every organisation that is connected to networks is a potential victim in mass targetting.
The only thing that stops them becoming a viable target is the application of a truly effective risk management strategy that encompasses a layered approach to all aspects of security. From vulnerability management, through active endpoint security and all the way through to the application of threat intelligence and effective tested fast response strategies. These are the approaches that make the difference between minor incidents and becoming front page news.”
“The involvement of new attackers suggests that the initial ‘vulnerabilities’ that allowed the January attack on MongoDB to flourish are still being exploited. Users that are leveraging MongoDB in their environments should change all default settings when installed. Additionally, users using MongoDB (regardless of where deployed) should perform regular health checks on their server’s services- ensuring all applications are patched and any superfluous services are shut off. This will help prevent the kinds of ‘drive-by’ attacks we are seeing against these default MongoDB installs.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.