MongoDB: The threat against MongoDB and the massive breaches caused due to misconfiguration

• The trend of ransom attacks targeting MongoDB was first observed in December 2016.
• The root cause for such attacks is not a security issue in MongoDB but users leaving the MongoDB open and unprotected.

A misconfigured MongoDB exposed 445 million records’, ‘An unprotected MongoDB exposed 66 million scrapped user profiles online’, ‘93 million Mexican voter’s personal information hosted on MongoDB leaked’. These types of data breaches are not new to us and it is difficult to put an end to such breaches.

The root cause - misconfiguration

The threat against MongoDB is well known, but what remains unknown is the root cause for such breaches. The root cause for such attacks is not a security issue in MongoDB but users leaving the MongoDB open and unprotected.

MongoDB is an open-source document database and a leading NoSQL database that uses a document-oriented database model. Hundreds of thousands of organizations use MongoDB to store their data. However, misconfiguration of MongoDB can leave millions of data exposed.

Chris Vickery who detected the misconfigured MongoDB that exposed 93 million Mexican voter’s private data “claimed that a user had not properly secured their instance of MongoDB and [the instance] was therefore at risk. The potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB – extensive security capabilities are included with MongoDB.”

First Ransom attack targeting MongoDB

The trend of ransom attacks targeting MongoDB was first observed in December 2016. During that time there were nearly 60,000 unprotected MongoDB databases publicly available which gave hackers plenty of targets to choose from.

The first hacker group who was involved targeting misconfigured MongoDB with ransom attack went by the name of Harak1r1. However, such attacks witnessed a peak in the first half of 2017 and almost 28,000 servers were attacked within just two months period.

Examples of MongoDB breaches

A misconfigured MongoDB hosted on Amazon Web Services (AWS) exposed 445 million records. The open database belonged to a Swiss-based data company Veeam. The unsecured MongoDB which was publicly available was uncovered by a security researcher Bob Diachenko on September 5, 2018. Diachenko immediately reported the database to Veeam. Later, the database was secured on September 9, 2018.

An unprotected MongoDB instance which contained 202,730,434 resumes of Chinese jobseekers was exposed online for at least one week. The database held almost 854 GB of data. Bob Diachenko discovered the unsecured database on 28, December 2018, while analyzing the data stream of BinaryEdge search engine. The exposed CVs contained personal information such as full names, dates of birth, addresses, phone numbers, email addresses, marital status, education, salary expectations, previous job experience, and more.

The recent data breach due to misconfigured MongoDB was observed in February 2019. An open facial recognition MongoDB database belonging to the Chinese video analytics company SenseNets exposed information of 2.5 million citizens. The exposed database contained information of people in the Xinjiang autonomous region, which is home to the Uyghur Muslim minority population of China. The information included citizens’ names, ID card numbers, ID card issue date, ID card expiration date, sex, nationality, home addresses, dates of birth, photos, and employer.

How to stay protected?

• It is best to conduct a cloud-based vulnerability assessment or web application scan to determine if your MongoDB is publicly available.
• Regularly check if your MongoDB is protected with a secure password authentication
• It is recommended to secure privileged accounts for MongoDB databases.
• It is suggested to secure your databases with proper password configuration.
• It is further recommended to educate your users on best practices and proper configuration.