Thousands of MongoDB installations being hacked

The popular open-source NoSQL database is coming under criticism for its insecure default setup

MongoDB is an open-source document-oriented database system that's become increasingly popular over the last few years. There's been a shift, especially in web applications, away from the traditional relational database systems to the new NoSQL variants that offer more flexibility and performance for many applications.

We'll go through a quick explanation of the difference between relational systems such as MySQL, Postgres and Microsoft SQL Server and the (relatively) new NoSQL systems like MongoDB, Redis, Riak, Memcached etc.

Essentially, relational databases join tables of data together via IDs, so a person table would have a person id, a passport table would have a person_id that defines the relationship to the person table. This allows large inter-connected systems to be modelled that replicate real world relationships and it's a massively powerful way to organise data. The problem is that it can struggle with big data applications, look ups that join multiple tables with billions of records can only be sped up so far. This is partly why the NoSQL model has become popular, it essentially does away with this relationship model and tends to store data in a simpler way, with a key and a value, the key is the lookup id and the value is the data, which can generally contain any number of fields or types of data, so it's not restricted to the column type design of relational systems.

So now we know roughly what MongoDB is and that it's being used in thousands of web applications you can begin to understand where the problems might arise if it's not secure 'out of the box'. It appears that Mongo DB will listen on port 27107 for connections from remote machines to connect and query the database. Couple to this the fact that the authorisation system isn't enabled by default when installing MongoDB and you have a situation where a recently launched application could actually have a port open listening for connections from anyone, once they connect it will allow them to run queries and actions on the database and data.... and it's easy to see where this all could end up.

MongoDB have posted an article to help users secure up their installations, if you're not sure if your setup is secure follow their instructions and review your firewall rules asap.

https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data#suggested-steps

This is also covered on The Register:

http://www.theregister.co.uk/2017/01/11/mongodb_ransomware_followup/

Stay safe out there!

Cowshed:Works


Article Category Tags