MongoDB Ransomware: Not Likely, But How Do You Know?

January 5, 2017

Author

David Murphy

MongoDB

Security

Share this Post:

In this blog post, we’ll look at some of the concerns recently seen around MongoDB ransomware and security issues.

Security blogs and magazines have recently been aflutter with the news that a hacker is stealing data from MongoDB instantiations and demanding bitcoins to get the data back. This sounds pretty bad at first glance, but let’s examine the facts.

The hacker needs a few things to pull this off:

MongoDB is running on default ports

MongoDB is not using authentication

MongoDB is accessible on the Internet with no security groups or firewalls

If this sounds familiar, you might remember a similar flurry occurred last year when people counted the number of open MongoDB installs on the web. That required these same conditions to all be true. This also means the solution is the same: you simply need to make sure you follow the normal security practices of locking down ports and using authentication. Not so scary after all, right?

What does this hack look like?

Finding out if this happened is simple: your data is removed and gone! In its place, you will find a “WARNING” database, which holds a “WARNING” collection. This collection has a document that looks like:

{<br>     "_id" : ObjectId("5859a0370b8e49f123fcc7da"),<br>     "mail" : "harak1r1@sigaint.org",<br>     "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"<br>}

1	{<br> "_id" : ObjectId("5859a0370b8e49f123fcc7da"),<br> "mail" : "[email protected]",<br> "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"<br>}

To fix this, hopefully, you have backups. If you don’t, you might want to look at https://www.percona.com/blog/2016/07/25/mongodb-consistent-backups/ on how to get consistent backups. If not, you will need to send the hackers the 0.2 bitcoins (~200 USD) to get your data back.

So, backup!

But this brings us to the real question: can you be hijacked? It’s pretty easy to check:

Do you have authentication on? Try running this command:

rs1:PRIMARY> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){ print("Auth not enabled!")}else{print("Your safe!")}<br>Auth not enabled!

rs1:PRIMARY> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){ print("Auth not enabled!")}else{print("Your safe!")}<br>Auth not enabled!

Are you running on a non-default port? Simply run this command (if you’re using 27017 or 29017, you’re using a default port):

rs1:PRIMARY> db.adminCommand('getCmdLineOpts').parsed.net.port<br>27001<br>

1	rs1:PRIMARY> db.adminCommand('getCmdLineOpts').parsed.net.port<br>27001<br>

The last part is a bit harder if the other two are both false. You will need to spin up a server outside of your environment and test the connection. I suggest an Amazon EC2 Micro instance (it’s very inexpensive – free if you use a new account). It’s simple to install a MongoDB client on. Check your setup:

Open a shell to this node (this can be done via their website).

Get MongoDB’s binaries:

wget -q --show-progress https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-amazon-3.4.1.tgz<br>gzip -d mongodb-linux-x86_64-amazon-3.4.1.tgz<br>tar xf mongodb-linux-x86_64-amazon-3.4.1.tar -C 3.4 --strip-components=1

1	wget -q --show-progress https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-amazon-3.4.1.tgz<br>gzip -d mongodb-linux-x86_64-amazon-3.4.1.tgz<br>tar xf mongodb-linux-x86_64-amazon-3.4.1.tar -C 3.4 --strip-components=1

Try and connect to your MongoDB Server

./3.4/bin/mongo --host <your_host_name> --port <your_mongod_port><br>

1	./3.4/bin/mongo --host <your_host_name> --port <your_mongod_port><br>

If this connects, and you can run “db.serverStatus()”, you are at risk and should enable authentication ASAP!

We will have a blog out shortly on the particulars of creating a user. To enable authentication, you simply need to add “–auth” to your startup, or the following to your YAML config file:

security:<br>    authorization:1

1	security:<br> authorization:1

This should get you started on correctly protecting yourself against MongoDB ransomware (and other security threats). If you want to have someone review your security, or even help you use LDAP to tie into your main authentication systems, please contact us.