Protect Your MongoDB – Story of “The Same Database”

Protect Your MongoDB – Story of “The Same Database”

May 22, 2019 Off By Ashutosh Barot

It’s normal now to hear stories about data breaches. Some of them involve publicly exposed Databases, S3 buckets etc. The vulnerability falls into ‘Security Misconfiguration’, A6 – OWASP Top 10 (2017).

” Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. ” – OWASP

Real-world Attack Scenarios:

Search engines like Shodan, Binary Edge are very useful in finding such information on the internet such as webcams with default passwords, publicly exposed CCTV Cameras, computers with port 3389 open, SCADA devices, MongoDB instances and more.

Shodan: Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.

Binary Edge: in their words “We scan the entire internet space and create real-time threat intelligence streams and reports that show the exposure of what is connected to the Internet.”

MongoDB is an open source database, very simple and convenient to create and use. If you find a MongoDB instance on the Internet, Simply use MongoDB compass and connect to it. If there is no authentication, Hackers can view the information without having to hack it. All the information is public!

During weekend I found similar issues, we call it ‘Shodan Safari’. In some cases I was able to identify MongoDB owners and reported the issue. I found a company’s MongoDB instance which had their employee information in ‘users’ collection also the database contained business critical information.

Also I noticed activities of a cyber criminal group which was actively attacking open MongoDB instances and asking for ransom, so I felt the need to contact them as soon as possible and help them protect their information.

This is another MongoDB instance from a different organization, I guess it was too late to contact them. The cyber criminal group behind this attacks claims that they provide ‘Database Backup Service’.

I reported the issue via WhatsApp, Screenshot of the conversation went viral for different reasons with more than 1500 RTs and 3.7 lac+ impressions on twitter and 1 lac+ views on LinkedIn.
My phone was flooded with notifications for next Two days. So, I thought about writing an article for awareness regarding the issue.