By Gary Duan, CTO, NeuVector
The recently reported ransomware attacks on MongoDB are shocking not just by the sheer number of them – over 28,000 and counting – but also by how easily they were compromised. These attacks did not require any sophisticated malware or hacking schemes to pull off. They took advantage of poor administrative practices, and remind us of the need for both preventative measures as well as real-time threat detection.
How Did This Happen?
The technique behind the MongoDB ransomware attacks is surprisingly simple. It takes advantage of the fact that many MongoDB servers, as well as other types of database instances, have their access ports open to the Internet with no authentication enabled. The hackers could simply scan the default ports (27017 and 27018 for MongoDB). Once an open port is located, a login attempt is made. If no administrative credential is required, the hackers can take full control of the database.
MongoDB does provide a generic security checklist to follow. But securing a database from ransomware is not as straightforward as you might think, especially for databases deployed in the cloud environment. Unlike the databases running on bare metal servers on premise, whose locations and IP addresses never ever change, in a virtualized environment all of them can vary from time to time. This is especially true if the databases are running as microservices. Traditional firewall or ACL rules cannot keep up with this constant change.
One Approach to Security
One practice which can be included in the auditing process is to have a tool to read and parse MongoDB configuration files and alert if the challenge-response mechanism is not enabled. Some tools can even prevent the instance from running if the database is mis-configured. This approach is effective in many cases but is not without some drawbacks. First, when the database is deployed together with the users’ applications, the configuration file might not always be at the the default location. Second, in some use cases where users feel uncomfortable with using a pre-shared password among applications and do not want to maintain a complicated PKI infrastructure, they may choose to keep the authentication disabled, if they believe they have their networking perimeter secured. Of course, this is a big ‘if.’
Real-Time Deep Packet Inspection
A better approach is to protect the database from the network side. By employing DPI (deep packet inspection) techniques, security tools can analyze the network traffic and figure out if a connection to the database is properly authenticated. Non-authenticated or non-authorized access can be logged or stopped.
In the majority of use cases, databases running in the cloud are not intended to be accessible from the Internet. In fact, only a limited list of applications should be allowed to connect to the database. For this situation, whitelisting client addresses is typically the most effective way to reduce the attack surface. However, virtualized environments and the ephemeral nature of workloads challenge security solutions to be more agile and accurate to make sure the whitelisting schema actually works.
In the case of containerized applications, which MongoDB is one of the top downloads from Docker Hub, monitoring and enforcing client access whitelists are even more difficult. With application containers constantly scaling up and down across multiple hosts and even clouds, manually created security rules just are not practical. This is an example of where intelligence about the application images, containers, overlay networks, and network connections should be built into the security fabric protecting all containers.
About the Author: Gary Duan
Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.