It’s normal now to hear stories about data breaches. Some of them involve publicly exposed Databases, S3 buckets etc. The vulnerability falls into ‘Security Misconfiguration’, A6 – OWASP Top 10 (2017).
” Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. ” – OWASP
Real-world Attack Scenarios:
https://www.zdnet.com/article/mongodb-server-leaks-11-million-user-records-from-e-marketing-service/
Search engines like Shodan, Binary Edge are very useful in finding such information on the internet such as webcams with default passwords, publicly exposed CCTV Cameras, computers with port 3389 open, SCADA devices, MongoDB instances and more.
Shodan: Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
https://www.shodan.io/
Binary Edge: in their words “We scan the entire internet space and create real-time threat intelligence streams and reports that show the exposure of what is connected to the Internet.”
https://www.binaryedge.io/
MongoDB is an open source database, very simple and convenient to create and use. If you find a MongoDB instance on the Internet, Simply use MongoDB compass and connect to it. If there is no authentication, Hackers can view the information without having to hack it. All the information is public!
During a weekend, I found similar issues while exploring shodan, we call it ‘Shodan Safari’. In some cases, I was able to identify MongoDB owners and reported the issue. I found a company’s MongoDB instance which had their employee information in ‘users’ collection, also the database contained business critical information.
Also I noticed activities of a cyber criminal group which was actively attacking open MongoDB instances and asking for ransom, so I felt the need to contact them as soon as possible and help them protect their information.
There were multiple other MongoDB instances belonging to different organizations, it was too late to contact them. The cyber criminal group behind this attacks claimed that they provided ‘Database Backup Service’.
I reported the issue to one of their employees via WhatsApp, Screenshot of the conversation went viral! It received more than 1500 RTs and 3.7 lac+ impressions on Twitter and 1 lac+ views on LinkedIn.
My phone was flooded with notifications for a week. So, I thought about writing an article for awareness regarding the issue.
Renowned hacker Keren Elazari talked about this incident in her talk at DataStax Accelerate, Washington
