
Unsecured MongoDBs taken hostage - xyunknown
!!! Important Follow-up !!!:<p>I&#x27;ve aquired the portion of the log related to the hostage taking, posted below. In particular this log shows that __no__ backup of the data was taken. So please don&#x27;t pay any money!<p>------------------------------------------<p>Although my colleagues and I have already pointed out the issue of open-by-default databases in spring 2015 (look at the references), today it seems for the astonishingly first(?) time somebody took the opportunity to erase hundreds of MongoDBs leaving only this Message:<p>{ &quot;_id&quot; : ObjectId(&quot;5859a0370b8e49f123fcc7da&quot;),
&quot;mail&quot; : &quot;harak1r1@sigaint.org&quot;,
&quot;note&quot; : &quot;SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !&quot; }<p>Well played, system admins.<p>Updates:<p>The price for the data seems to equate to about 200 USD currently. Thanks, wereHamster.<p>This has been going on since at least yesterday (https:&#x2F;&#x2F;twitter.com&#x2F;achillean&#x2F;status&#x2F;816385533538631680). Thanks, NietTim.<p>There have already been transactions by presumed victims:
https:&#x2F;&#x2F;bitref.com&#x2F;13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq . Thanks, 	
anondon.<p>Please read the official security checklist by MongoDB! In particular, use passwords and don&#x27;t expose on all interfaces (duh!)!
https:&#x2F;&#x2F;docs.mongodb.com&#x2F;manual&#x2F;administration&#x2F;security-checklist&#x2F;<p>Sources&#x2F;References:<p>The Jan &#x27;15 info paper of which I am one of the authors: https:&#x2F;&#x2F;cispa.saarland&#x2F;wp-content&#x2F;uploads&#x2F;2015&#x2F;02&#x2F;MongoDB_documentation.pdf<p>(Jan &#x27;17) http:&#x2F;&#x2F;www.csoonline.com&#x2F;article&#x2F;3154190&#x2F;security&#x2F;exposed-mongodb-installs-being-erased-held-for-ransom.html<p>http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2017&#x2F;01&#x2F;04&#x2F;mongodb_installs_wiped_by_bitcoin_ransoming_script&#x2F;<p>(German) https:&#x2F;&#x2F;www.heise.de&#x2F;newsticker&#x2F;meldung&#x2F;Eindringling-nimmt-offenbar-MongoDB-Datenbanken-als-Geisel-3587479.html
======
DyslexicAtheist
"hack" is the wrong word considering we're talking about DB instances exposed
to the Internet without access controls.

Please don't say "hack" when you've been auto-pwned by something that uses an
_OWASP TOP-10_ to get you. It's carelessness, inexperience, possibly
negligence or anything in between. But for sure it is _not_ a hack!

~~~
koolba
Using "hack" to refer to this is like leaving your front door wide open and
referring to being robbed as an Ocean's 11 style escapade.

~~~
simonw
I'd argue this metaphor is why it IS appropriate to use the word "hack" here.

If you left your door unlocked and someone stole your stuff, that's still a
robbery.

If you left your database accidentally midconfigured and someone stole your
data and left you an extortion notice, that's still a "hack".

Is misconfiguring MongoDB really that different from e.g. installing a
Wordpress plugin with a security flaw and getting hacked via that?

~~~
koolba
> If you left your door unlocked and someone stole your stuff, that's still a
> robbery.

True but hack in this context would be metaphorically closer to "breaking and
entering". If your door is open, you've only got the latter half (from an
english, not legal definition).

> If you left your database accidentally midconfigured and someone stole your
> data and left you an extortion notice, that's still a "hack".

I suppose it's a matter of semantics for me. If I use the word "hack" I'd
expect a bare level of finesse to get past _some_ defense or prevention
system.

> Is misconfiguring MongoDB really that different from e.g. installing a
> Wordpress plugin with a security flaw and getting hacked via that?

Not in my book. They're all terrible decisions but then again anything that
involves "Using X without understanding the implications of the default set up
of X" tends to be a terrible decision.

------
mrweasel
It's fascinating that someone installs and configures MongoDB and doesn't stop
to think: "Hey, maybe this shouldn't be exposed directly to the internet". I
mean you wouldn't do that with something like MySQL.

Some sort of analysis of the purpose of these directly exposed MongoDB
instances could be interesting. Are they being used as a backend for
JavaScript applications?

~~~
dx034
Many database systems are by default only exposed to localhost, you'd have to
specifically change the settings to be able to talk to it from outside. That's
at least the case for Postgres and MSSQL, not sure about MySQL.

I don't see any reason that a database should allow to listen to any address
without authentication. There shouldn't be a real world application requiring
this.

~~~
nkozyra
MySQL is the same with bind-address. If someone chooses to expose a db/store
to the world, it would be nice if there was some automatic auth enabled. This
isn't Mongo-specific, Elasticsearch is the same way.

~~~
agopaul
In MySQL you have to change the bind-address but also allow the user to access
from any IP (%) in order to access from any IP. Opening the service to the
whole web is not enough

~~~
nkozyra
True, and hopefully if/when people do that they're not GRANT to '%'@'%' or
whatever, but I figure if you're not going to bother to tunnel who knows what
other silly things you might do.

And this is case in point.

------
SillentTroll
I also have been affected by the same "hack". Turns out I have simply forgot
to start mongod with --auth option, even through the I had created users for
different databases, including the admin! Looks like in "non secure mode" it
allows logins with existing users as well as non-authorized.

I understand why the authentication is disabled by default, but it should fail
to start with a DB that has users with roles and stuff.

~~~
dx034
Why should it be disabled by default? I don't see a reason why any database
system would run without auth. At installation they can always use a local
user account if no password is provided.

~~~
mhotchen
I wouldn't call it a bastion of security but MySQL typically installs with a
root user with no password. So how do they not have the same level of exposed
data? By default only local connections are allowed. If Mongo had the same
pattern then this whole calamity could have been avoided whilst still allowing
the ease of setting up on local environments.

~~~
malka
IIRC, even if you enable remote connection, the passwordless login is still
only authorized locally.

~~~
mhotchen
Yeah good point, you're right. The root user is defined as root@localhost, not
root@%.

------
anondon
Look at the btc address history:
[https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq](https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq)

Looks like the guy pulled off these blackmailing/hostage tricks before as
well.

Not to pile on to the already tense situation, would you be open to sharing
how this happened, what the database contained etc, sort of like a post mortem
without revealing any personally identifiable info.

~~~
dx034
Shouldn't it be possible to trace the transactions to the point where they
were used to pay goods or exchange them for real money?

~~~
xyunknown
No, thats why things like BTC Tumblers/ Laundering exist.

~~~
dx034
Ok, I didn't know you can use them. But probably still worth a try, certainly
not used by everyone.

------
fauria
MongoDB has a security checklist published, I think it is interesting to
review it: [https://docs.mongodb.com/manual/administration/security-
chec...](https://docs.mongodb.com/manual/administration/security-checklist/)

------
xyunknown
Aquired log of such a hostage taking, contains the IP of the hostage taker,
but beware it could be obscured by a botnet or similar.

Update: in a different log he used a different server for the attack,
suggesting he might be using innocent servers, therefore I removed the log.

~~~
xyunknown
Could someone more familiar with MongoDB please confirm that this does not
show any backup of data? Maybe MongoDB does not log just looking up data?

~~~
jstanley
The database was dropped within ~1 second of the connection, so either it was
a very small database or he didn't have time to take a backup.

~~~
xyunknown
My thoughts, too. But before claiming this I at least wanted to encourage a
second look. I also ensured this was the only time he connected, so there is
no plausable way he is backing up the data.

~~~
xyunknown
There is now more evidence supporting that there are no backups, e.g. he
doesn't even store information about which servers he already looted (he is
erasing the same servers twice or more). Until someone has logs that prove
otherwise on bigger datasets, nobody should pay this guy. Also it seems
implausible seeing the vast amount of data which he would need to have backed
up, closing in several hundreds of terabytes, based on an estimation of last
year.

------
martinald
Amazed this has taken so long. I think elasticsearch also suffers from this
same 'no-auth-by-default' configuration, which is really silly.

~~~
Xylakant
Sort of. ES >= 2.0 only binds to localhost by default, so it's at least not by
default exposed to the internet. Versions < 2.0 suffer from exactly that flaw:
No auth, bind to all ports.

~~~
spydum
I think this is still a cop out: first thing junior will do when he can't
connect to his database from home is google it, then find out how to bind to
all ip's. Network access is BARELY viable access control, as it's too easy to
fail open.

~~~
Xylakant
I absolutely agree with you. One of my biggest issues with ES is that
authentication (even basic) and encrypted intra-cluster communication requires
a (commercial) plugin. Either shield, which is not available as a standalone
piece of software or SearchGuard, which is sort-of-free with limited
functionality. I do consider those basic functions that should be available
out of the box.

~~~
jkressin
The basic version of Search Guard provides TLS/SSL encrypted intra-cluster
communication and also HTTP basic authentication totally free of charge also
for commercial projects. Only for authentication methods like LDAP or
Kerberos, or for advanced features like Document-Level-Security and audit
logging a license is needed. Disclaimer: I work for floragunn/Search Guard.

------
achillean
This has been a known issue for a long time and while I hadn't seen ransomware
before these open databases have been attacked previously:

[https://blog.shodan.io/its-the-data-stupid/](https://blog.shodan.io/its-the-
data-stupid/)

Note that MongoDB listens on localhost unless changed by the user or the
developer is using an insecure image.

------
NietTim
It's been going on for quite some time already, see:
[https://twitter.com/achillean/status/816385533538631680](https://twitter.com/achillean/status/816385533538631680)

------
xyunknown
Another log shows that he even connects to the same server twice sometimes,
deleting his own message just to re-insert it- That means he doesn't even save
which servers he deleted. Such blunt action is remarkable.

~~~
kirushik
Or that "he" is an automated distributed system without strong consistency
guarantees.

------
userbinator
It might be entertaining to run a honeypot server that responds with some...
unusual data. Does anyone know if the client they're using to do this has any
vulnerabilities? ;-)

~~~
xyunknown
Shouldn't be hard to get the IP etc, as you can just connect to affected
servers and review the global log. Just search for mongoDB on shodan and see
for yourself.

------
rohandighe
Hey Guys, we have been affected by this? What's the course of action that we
should take? Data is pretty important to us.

~~~
mike-cardwell
Restore from backups.

~~~
rohandighe
I don't have any :(

~~~
Ded7xSEoPKYNsDd
Pull the plug on the server and send the disks to a data recovery company?
Most file contents are probably still on the disk (just marked as erased), but
the longer you wait the more likely it is that random temp files overwrite
more of your data.

(Note: I have no idea how exactly mongo implements deletion.)

------
wereHamster
At the current price, 0.2 BTC is ~200USD.

------
mathrawka
So he deleted his email address or sigaint removed it:

Requested action not taken: mailbox unavailable 550 Invalid recipient

~~~
mike-cardwell
Unsurprising. On their signup page at
[http://www.sigaintevyh2rzvw.onion/](http://www.sigaintevyh2rzvw.onion/) it
says:

    
    
      Are there any rules to using this thing? Generally we are 
      pretty chill, all we ask is that you don't use our FREE 
      service to:
    
      Spam people
      Threaten people
      Harm people
    
      Everything else is cool with us.
    

Looks like he broke rules 2 and 3.

------
tbarbugli
2BTC for such felony does not sound a great deal to me

~~~
wereHamster
0.2BTC. But you have to multiply that by the number of open MongoDB
installations. Tens of thousands at least. So, 20000*0.2BTC = 4000BTC if
everyone pays. That's 4mil USD if everybody pays (not everybody will since
many of the installations are personal or just tests running on amazon or
other clouds). Still, a lot of money for little risk. BTC is pretty safe if
you know what to do.

~~~
3manuek
Worst thing is that the data loss impact in money is not limited to the
blackmail rates. What I'm saying is that even if everyone pays and 4kBTC (4.3M
USD today) is collected by the perpetrator, there are other impacts in terms
of legal issues and insurance. I don't know how to calculate this, but it
could be an interesting number tho.

~~~
wereHamster
You don't need to calculate it, don't even try to estimate it. Just make up a
number. A huge number. Larger than the whole world's GDP if you can. That's
how the RIAA did it.

