Protecting Big Data: Over 26,000 MongoDB Servers Hit by Ransom Attacks

Security reseachers Victor Gevers and Dylan Katz recently uncovered a series of ransom attacks targeting MongoDB databases that hit more than 26,000 servers in the past week, BleepingComputer reports.

This is the second set of attacks on unsecured MongoDB servers this year — another series of attacks in December 2016 and January 2016 hijacked more than 10,000 databases.

In a blog post published following the earlier attacks, MongoDB lead security engineer Andreas Nilsson offered suggestions on how to diagnose and respond to an attack.

In last week’s attacks, it appears that three separate groups of hackers simply searched for MongoDB databases left open to external connections, then wiped the content and replaced it with ransom demands.

In many cases, companies that paid the ransom discovered that they’d been scammed and the data had been erased.

Cloud Configuration vice president John Martinez told eSecurity Planet by email that these attacks demonstrate how poorly configured directories and mismanagement of permissions and settings can result in the exposure of massive amounts of sensitive data.

“The problem is compounded because cloud repositories have so many configuration settings, and unless an organization is continuously monitoring their security state, their data stores are likely vulnerable to some degree,” Martinez said.

And as Imperva vice president of product marketing Morgan Gerhart noted, big data presents an enormous opportunity for hackers.

“While protecting the data in your databases is important, monitoring big data services like MongoDB and Hive, which are ‘databases on steroids,’ is just as important,” he said.

Protecting Sensitive Data

To protect your data from ransom attacks like these, Gerhart suggests taking the following key steps:

  • Have data audit and monitoring in place with an out-of-the-box alerting system
  • Enable real-time blocking
  • Use deception techniques
  • Perform regularly scheduled discoery and classification scans
  • Institute Insider Threat and User and Entity Behavior Analytics (UEBA) technology
  • Deploy a holistic, data-centric solution

A recent SANS Institute survey of 257 IT and security administrators, engineers, managers, developers and privacy experts found that respondents see ransomware as the top overall threat to data availability.

The most common data being sought in breaches is user credentials, cited by more than 40 percent of respondents, followed by customers’ personally identifiable information (31 percent) and employee data and intellectual property (28 percent).

Still, less than 4 percent of respondents said they have a clear understanding of how data flows through their systems, and 62 percent said identifying all pathways to their sensitive data is a key challenge.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles