Kevin Stear

Candygram for Mongo??

Blog Post created by Kevin Stear Employee on Jan 10, 2017
Over the last several weeks, the security community has bit their collective tongues as they watch thousands of Internet accessible mongoDB instances powned at an alarming rate.  In fact, according to an article published by BLEEPINGCOMPUTER this morning:

The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.

According to statistics provided by two security researchers monitoring these attacks, Victor Gevers and Niall Merrigan, this group is behind around nearly 16,000 hijacked databases, which is around 56% of all ransacked MongoDB instances.

The Kraken group got involved in these MongoDB attacks on Friday, January 6, seeing how successful and profitable previous attacks from other groups had been.

The vulnerability (and potential ransoming) of thousands of MongoDB instances is based on two common security denominators: authentication/authorization and network access control.  First, MongoDB by default employs no-authentication for read/write access, but there are a number of available and routinely utilized security extensions.  As for networking, accessibility of default port allocations (e.g., 27017-default, 28017-REST) needs to be controlled via basic IT hygiene measures such as iptables and firewalls.
These are basic security aspects (that are well documented by MongoDB,, and yet people continue to deploy Internet facing MongoDB instances with default or improper configurations, leaving themselves extremely vulnerable to elementary attack vectors.  In the case of recent ransomware infections, actors simply connect to the DB, export and drop tables, and then ransom their return for bitcoin.  
.mongo ransomware
NetWitness customers can evaluate their possible exposure to this malicious activity via a simple rule: direction = ‘inbound’ &&  = ‘flags_syn’ && tcp.dstport = ‘27017' *, and everyone using MongoDB instances should ensure that their administrators:
  1. Enable authentication (i.e., start by setting auth = true in in the config file)
  2. Use firewalls to disable remote access by binding local IP addresses and blocking access to port 27017

MongoDB has also released additional specific guidance in response to recent ransomware attacks, which is available at 

* suggested app rule may differ slightly depending on NetWitness configuration