It’s normal now to hear stories about data breaches. Some of them involve publicly exposed Databases, S3 buckets etc. The vulnerability falls into ‘Security Misconfiguration’, A6 – OWASP Top 10 (2017).
” Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. ” – OWASP
Real-world Attack Scenarios:
Search engines like Shodan, Binary Edge are very useful in finding such information on the internet such as webcams with default passwords, publicly exposed CCTV Cameras, computers with port 3389 open, SCADA devices, MongoDB instances and more.
Shodan: Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
Binary Edge: in their words “We scan the entire internet space and create real-time threat intelligence streams and reports that show the exposure of what is connected to the Internet.”
MongoDB is an open source database, very simple and convenient to create and use. If you find a MongoDB instance on the Internet, Simply use MongoDB compass and connect to it. If there is no authentication, Hackers can view the information without having to hack it. All the information is public!
During weekend I found similar issues, we call it ‘Shodan Safari’. In some cases I was able to identify MongoDB owners and reported the issue. I found a company’s MongoDB instance which had their employee information in ‘users’ collection also the database contained business critical information.
Also I noticed activities of a cyber criminal group which was actively attacking open MongoDB instances and asking for ransom, so I felt the need to contact them as soon as possible and help them protect their information.
This is another MongoDB instance from a different organization, I guess it was too late to contact them. The cyber criminal group behind this attacks claims that they provide ‘Database Backup Service’.
I reported the issue via WhatsApp, Screenshot of the conversation went viral for different reasons with more than 1500 RTs and 3.7 lac+ impressions on twitter and 1 lac+ views on LinkedIn.
My phone was flooded with notifications for next Two days. So, I thought about writing an article for awareness regarding the issue.
Here’s their response:
The issue got resolved within 24 hours of my first conversation on WhatsApp with one of their team members.
If you think your organization is using MongoDB, make sure that it is protected. ‘Seniors’ responsible security of larger organizations can create a list of all the MongoDB instances/ AWS S3 buckets etc. used by the organization and review their access Monthly/Quarterly.
Feel free to let me know what you think about the article,
- Protect Your MongoDB – Story of “The Same Database” - May 21, 2019
- Crypto-Mining Marketplace NiceHash Fixed a Vulnerability Which Leaked Miners’ Information - January 27, 2019
- How to watch movies via flash drive in Sony Bravia? - July 8, 2018
- How to create a great proof of concept video? - July 8, 2018
- Temporary Solution If You Received Message That Crashed Your iPhone - February 16, 2018