MongoDB, the free and open source NoSQL database (see Wikipedia entry here) that is used by hundreds of thousands of web sites is under attack.
A number of attackers are using search engines like Shodan to find Mongo databases that are exposed to the Internet and attempting to compromise them. Apparently, a surprising number of these databases are set up either with no password or the default password. Some of them are also unpatched.
The combination of all of these issues makes for easy pickings for hackers.
First find the database, then attack it. If you get in, backup the database(s) and copy the data to a server in Ukraine or some place and delete all the data. Then tell the users that if they pay up they will get there data back. Pretty simple.
For users that do not have appropriate backups, paying the ransom may be the only possible option.
Whether users have a backup or not, this likely constitutes a breach under HIPAA, PCI or state privacy laws because the user has lost control of the data. That could lead to fines and reputational damage.
What is surprising is how poorly protected these databases seem to be.
In one day, the number of compromised databases jumped from about 12,000 early yesterday to over 27,000 later in the day. And, rapidly growing.
Researcher have identified at least 15 different attackers – apparently, they consider this a target rich environment.
The attackers are asking for around 1 Bitcoin or about $900.
Realistically, for most users, paying $900 to not have to deal with the mess is likely worthwhile and many are paying.
Apparently, security is not a priority for Mongo database administrators because attackers seem to be having a field day.
For those of you responsible for servers on the Internet, it would seem that making sure that the servers are secure would be a no brainer and a high priority, but apparently, not so for Mongo DB users.
Kind of like driving past a car wreck, it is impossible not to be fascinated by the carnage of all these database attacks at one time.
While I feel sorry for the businesses who are being affected, it is not like people did not know. Secure your servers. Patch them. Monitor them. IT 101.
So for those of you responsible for your servers, as you tuck those servers in for the night tonight, make sure that they are secure. If they are not or you just think they may not be, put fixing that at the top of your todo list for tomorrow.
Information for this post came from The Register.