Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come.
“These types of attacks have grown from ones of opportunity to full-scale automated and systematic assaults targeting misconfigured servers containing sensitive data that can be easily hijacked,” said Zohar Alon, co-founder and CEO, security firm Dome9.
First spotted on Dec. 27 by Victor Gevers, an ethical hacker and founder of GDI Foundation, attacks in the past two months shot up from 200 to near 50,000. The first of these ransom attacks against insecure databases traces back to a hacker identified as Harak1r1, who Gevers said was responsible for compromising open MongoDB installations, deleting their contents, and leaving behind a ransom note demanding 0.2 BTC (about $220 at the time).
After that, escalation of attacks against open MongoDB installations happened fast, jumping from hundreds one week, to 2,000 the next, and 10,000 the following week. At last count more than 56,000 open MongoDB databases alone are ripe for attack, according to the most recent numbers available from GDI Foundation. But that doesn’t include a slew of new databases now being targeted by cybercriminals.
Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed. When it comes to similar misconfigured databases; 58 percent of the 18,000 vulnerable Elasticsearch servers have been ransomed and of the 4,500 CouchDB servers vulnerable 10 percent have been ransomed.
“It’s about the path of least resistance for hackers interested in the biggest potential reward,” said Bob Rudis, chief data security officer at Rapid7. “Hackers have decided it’s easier to end-run an enterprise’s multi-million dollar security system and instead simply target an open server.”
Open Databases are a Scan Away
Rudis and other experts say cybercriminals have adopted similar techniques to those behind Mirai, which used scanning tools such as Shodan, Thingful or Censys to find open devices or ones with weak credentials to attack. This time, instead of looking for weak or no-credentialed DVRs or CCTVs, the targets are servers where the stakes and profit potential are much higher, according to Rubis.
“We have warned for years about open MongoDB and other databases,” said Rudis. “But warnings appear to have been in an echo chamber. Few have heeded the security community’s warnings.”
Dome9’s Alon says his company estimates cybercriminals have already made millions from ransoming hijacked data; with bigger damages to come. “Criminals are fine tuning techniques. Testing the waters,” he said.
In a typical ransomware attack, an attacker compromises a computer via malware or Trojan and encrypts local data that can only be unlocked with an encryption key obtained for a price. That spurred a maturing of ransomware used against more sophisticated healthcare, government and educational targets with similar phishing, malware and Trojan techniques. Both of these trends have far from abated. However, experts say, both have acted as the stepping stones to this type of data hijacking.
Copy. Delete. Ransom.
With data hijacking, attackers compromise insecure database installations, copy data, then delete the contents and leaving behind a ransom note in the form of a directory name demanding a ransom be paid via Bitcoin. In some instances, breached data is simply destroyed and anyone who pays the ransom does not get their data back.
Further complicating matters, attackers also appear to be battling among themselves. In some instances after one hacker leaves a ransom note another hacker will target the same database, delete the original ransom note and leave their own.
Experts say there is a danger in underestimating data hijacking. The genius of the attacks is its simplicity, experts say. What data jacking lacks in Trojans and cryptography, it makes up for in automation and scanning of the internet for vulnerable systems.
“Continuous scanning and automation of attack scripts have allowed cybercriminals to scale these type of attacks from just hundreds to tens of thousands very quickly,” said Lawrence Abrams of Bleeping Computer.
That’s helped criminals evolve from MongoDB “low hanging fruit” to a greater variety of targets, Abrams said. He said there are just too many open devices out there and until better security is in place automated scanning and script-based attacks will continue.
Targeted Attacks on the Horizon
These most recent hijackings, experts say, are just the first wave in what will be more sophisticated attacks against a more diverse set of targets in the future.
“MongoDB, Hadoop and Elasticsearch is the starting point,” Rapid7’s Rubis said. Rapid7 has already seen additional databases such as Redis, Kibana and other SQL databases targeted in its honeypots.
Josh Gomez, senior security researcher with security firm Anomali, said moving forward attacks will be less random, more targeted and seek high-value repositories with weak protection.
“These targeted database systems have one thing in common; they are set up with no security or default configurations and made accessible on the open internet,” Gomez said. “This is usually by way of opening ports on a firewall, or in some cases directly connecting the system to the internet without sufficient hardening of the OS and applications.”
A recent example of this, GDI Foundation reported on Thursday, is 5,300 Hadoop clusters it found currently exposed to the internet and vulnerable to data jacking attacks. “The default installation for HDFS Admin binds to the IP address 0.0.0.0 and allows any unauthenticated user to perform super user functions to a Hadoop cluster,” according to the GDI report. “These functions can be performed via a web browser, and do not prevent an attacker from destructive actions. This may include destroying data nodes, data volumes, or snapshots with terabytes of data in seconds.”
According to Bob Dyachenko, chief communication officer at MacKeeper, in some cases cloud providers such as Amazon are to blame for insecure installations that allow administrators to configure databases such as MongoDB installations with default settings and do not require user names or passwords for access.
Dyachenko said that’s still no excuse, and the responsibility to secure servers always rests on the admin deploying it.
“Amazon, DigitalOcean, SoftLayer and Azure are selling easy to spin-up servers with tons of automation,” Rapid7’s Rudis said. “But you can’t pass the buck to these cloud guys just because they are making it wicked easy to automate many aspects of the instillation. If you are going to deploy something on the internet it is your responsibility as the owner of that server to do the right thing or suffer the consequences.”
To that end Mike Olson, chief strategy officer and co-founder of Cloudera, one of several firms that provides Apache Hadoop-based software, told Threatpost last month the problem has nothing to do with security of these platforms. “This is a problem that has to do with deployment and operations discipline.”
Olson said that Hadoop has a bevy of security and data protection capabilities. “You can encrypt all the data that’s on the platform, you can separate the key management from the system and you can take advantage of authentication, access control and user enroll-based rights to the data. The systems that have been attacked have not taken advantage of these features,” he said.
“For years, people are still making the wrong assumptions about the security of servers they deploy,” Rudis said. “This is not a problem that admins made 10 years ago. The plague of misconfigured servers is a problem admins perpetuate every day.” In Rapid7’s most recent scan of vulnerable MongoDBs, it found almost as many servers installed in 2016 that were misconfigured compared to those misconfigured years ago.
“Let’s say a new cool database technology comes out this year that every DevOps person wants to go use,” Rudis said. “I guarantee you a good chunk – maybe five to 10 percent – will have no security and will give people direct access to the internet.”