The latest victims of ransomware hackers have been MongoDB users. In short, ransomware is a type of malware and attack that claims that data will be returned in exchange for ransom after the data of the target system is encrypted or backed up to a remote server and deleted from the target system.
Among the database management systems, TB level data of MongoDB users, one of the biggest players in the NoSQL concept, was targeted and 28,000 MongoDB databases were affected by this attack. The hackers transferred the data to remote servers accessible to them and left notes on the target systems via a database record, requesting payment in bitcoin, then reporting the user's own server ip address.
It is stated that nearly twenty companies pay the ransomers with bitcoin, but there are scenarios where the data cannot be recovered even if the payment is made.
How did it happen?
With MongoDB version 2.6, it was configured to respond to the ip address 127.0.0.1 in its default configuration file. However, in versions prior to version 2.6, the default configuration allows remote access as well as local connections. In versions prior to version 2.6, authentication is also not required by default, and the default configuration allows access by unauthorized users.
In pre-2.6 installations, 27017 is used as the default port, and even by performing a port scan with simple tools, mongodb servers that are likely to be vulnerable can be listed. Unfortunately, this vulnerability is not newly discovered. In 2015, it was reported that 30,000 vulnerable MongoDB installations were detected.
What should be done?
MongoDB installations that have not yet fallen victim to this vulnerability need to be updated and their configuration files should be reviewed. As a matter of fact, this vulnerability is considered a configuration vulnerability rather than a structural or software vulnerability of MongoDB.
