Almost 230 MongoDB databases in Canada that face the Internet are among the estimated 27,000 poorly-configured databases that have been hit by ransomware in the last several weeks, according to data gathered by European security researchers.
As of Jan. 9, 93 terabytes of information had been wiped out, estimate researchers Victor Gevers of the GDI Foundation, a Dutch non-profit working for an open and secure Internet, and Niall Merrigan, a solutions architect. Their database of all attacks, threat messages and IP addresses can be found here.
Of the 227 MongoDB installations hit here, their figures suggest 47 were in Ottawa, 22 in Toronto, six in Kitchener, Ont., four in Vancouver and three in Markham, Ont. The others were spread across the country.
Some of the ransomware threats say pay up with bitcoin or the user’s data will be wiped, but there are reports of many instances where data is wiped from the start.
An open source NoSQL database which is also available in several enterprise versions and as a service, MongoDB open to the Internet have been attacked since December. The attacks seem to have been launched by a handful of threat actors, some of whom may have joined in after word spread of the attacks last week.
Blame is being focused on installations that don’t have administrator passwords. In an email this morning Gevers noted no authentication is needed to access a database if the user has full admin rights. “The owners forgot to read the manual which advises to lock down your database. By default the door is open. All the database that have been ransacked were open. It’s very simple to connect and steal all the data. That has been going on for years,” he said. But, he added, the destructive ransomware attacks are new.
An early analysis of the data he and Merrigan collected shows that for the first 118 victims only 13 had recently backed up their data. Seven of the 118 paid the ransom — none got their data back. And while some use MongoDB for staging or development, note that of the group studied 86 (or 73 per cent) were production databases.
In a blog MongoDB Inc., which distributes the database and sells support, notes that the latest version of the database, 3.4, allows users to configure authentication to an unprotected system without suffering downtime. For those who need it there’s a security checklist. One is to ensure that MongoDB runs in a trusted network environment and limit the interfaces on which instances listen for incoming connections. “Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.”