MongoDB Ransomware: Number of Compromised Databases Doubles in One Day

MongoDB is a powerful, flexible and scalable general-purpose database. It is an agile database that allows schemas to change quickly as applications evolve. It is a NoSql Database. It is being held ransom by a MongoDB Ransomware, and the number of compromised database just doubled in one day.

Hackers have been rushing to grab vulnerable MongoDB databases and lock them up before they get secured and the hacker opportunity closes their opportunity to hijack instances of the popular database engine.

The simple attacks against servers running MongoDB – a widely used, open source NoSQL database – came to light in December 2016, but the attacks were quite small in number. That changed almost overnight yesterday (more like during the day in the US, but it was night somewhere).

Many of the affected databases hadn’t been properly setup to require a password for access from the internet, making remote compromises not just simple, but effectively childplay for a hacker or script-kiddy.

Once the database was compromised, it was easy to download, and then alter the database on the source server. This was effectively building a house and putting on a front door with no lock at all.

Security expert Niall Merrigan estimated the compromised databases to number about 12,000 early yesterday – that number had skyrocketed by end of day and then more than double to 27k by the end of the day:

Many security experts have issued warnings to MongoDB administrators to clean up their act. John Matherly, who founded Shodan – a search engine for internet-connected devices – noted as far back as mid-2015 that there were large numbers of Internet-facing MongoDB servers running outdated software.

The solution to the MongoDB security risk involves database administrators following the security checklist that MongoDB outlines on its website. The very first item on the checklist is ‘enable access control and enforce authentication.’