MongoDB – for those that don’t know – is a free, open source, document-orientated database program adopted as an alternative to SQL Server.
Not necessarily dangerous in itself, but the threat comes from unsecured Mongo databases requiring no authentication. These exposed entities are being identified by threat actors, taken offline and held to ransom.
The number of databases hijacked like this in the recent MongoDB ransom attacks ran into the tens of thousands.
But while the attacks have been disastrous for those affected, they were largely preventable.
In this blog post I’m going to explain how this kind of attack happens, what the potential fallout is and how you can avoid becoming a victim with the right approach to cybersecurity – all using real-world examples from our own research.
What we’ve uncovered
Our Cyber Threat Intelligence unit regularly analyses the risks associated with unsecured data. We identify and analyse exposed databases to help companies better understand how to protect themselves.
In December last year we found a 112GB database storing data that appeared to belong to a hotel content management system (CMS). It contained the following information:
- 9 million partial payment information records
- 4 million booking references (check-in/out details)
- 4,800 hotel reference usernames
- 3 million guest records (first name, surname, addresses, email address, telephone number, country of residence, zip/post code)
- 9 million transaction records (room rate, transaction processor)
When we analysed this data, we discovered a US-based company offering a complete cloud-based solution for hotels.
At the time of writing our report this company had managed the stays of almost 100,000 hotel guests from the initial online booking right through to checkout. That’s an enormous amount of data potentially exposed.
This month attackers began removing other MongoDB databases and replacing them with a note asking for bitcoin payment for the safe return of the data, effectively committing extortion against the owners of any unauthenticated databases.
One database we uncovered belonged to cloud-hosting company CloudFX. It totalled 29GB in size and contained everything from product and purchase information to firewall rules and private network details.
The potential exposure
As of the 6th January the database had been stolen and replaced with the following extortion message from an actor we had been tracking before the attack happened:
So what, or who, is actually at risk here?
The company lists a huge number of logos on its operations page, seemingly as a reference to all those who’ve used its services. Those companies range from strategic consultancies and digital service marketplaces to multi-cloud vendors and migration services.
We can’t put a specific number on each of those individual organisations when it comes to their potential exposure, however, every single one of them could be at risk.
Take PricewaterhouseCoopers (PwC), for example – one of the brands shown on the CloudFX operations page. As you can see from our table below the firm may have had sensitive payment information stolen as part of the attack.
How to fight back in future
As cybercriminals get smarter, organisations can no longer afford to be complacent when it comes to security.
The responsibility no longer sits only with IT – it is an issue that deserves to be front and centre in boardroom discussions for the sake of companies and their customers.
Technology can go some of the way to combating cybercrime and protecting your data – implementing a robust threat intelligence system backed by a detailed and proactive incident response plan is essential.
But you also need education across your organisation to ensure no individual poses more of a cybersecurity threat than they have to.
Click here to read the full report.
Get in touch with our Cyber Threat Intelligence team today to find out how you can protect your organisation against future attacks.
He has developed his design, technical, project and security skills within some of the UK’s top employers and institutions.
Latest posts by Bryan Campbell (see all)
- Why misuse of enterprise platforms could be your worst nightmare - October 31, 2017
- MongoDB ransom attacks – could you be at risk? - January 23, 2017
- KeyBase – the impact of malware and how to respond - November 29, 2016