MongoDB is subject to continual attacks when exposed to the internet

On average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up, according to Intruder.

MongoDB is a general purpose, document-based, distributed database that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organizations all over the globe to store and secure sensitive application and customer data.

There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware.

How MongoDB attacks are carried out

After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data. The network traffic was monitored for malicious activity and if password hashes were exfiltrated and seen crossing the wire, this would indicate that a database was breached.

The research shows that MongoDB is subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online.

At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data:

Where do attacks come from?

Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP Skynet and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.

“It’s quite possible that some of the activity recorded was from security researchers looking for their next headline or data for their breach database. However, when it comes to a company’s security reputation, it often doesn’t matter whether the data is breached by a malicious attacker or a well-meaning researcher,” said Chris Wallis, CEO, Intruder.

“Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone in under 9 minutes. Prevention is a much stronger defence than cure.”

A MongoDB spokesperson comments for Help Net Security: “Our MongoDB Community database is a very popular product, with over 100M downloads worldwide. Unfortunately, not every installation follows best practices and as a result, some are improperly configured. When MongoDB was first made aware of these issues several years ago, we made product changes to secure the open source community product’s default settings. As a result, we’ve seen the number of open databases reported to significantly decline. The default MongoDB database setup today comes with secure defaults out of the box.”