The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000 in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation:
still shocked that yall shocked and fussing about the mongodb ransom spike.
— CWN (@Cyber_War_News) January 8, 2017
@PogoWasRight well we all know 95% are dev and waste databases, others are most likely backed up, i see no major issue really
— CWN (@Cyber_War_News) January 8, 2017
In light of the above, I thought I’d highlight what we can learn from the MongoDB ransacking sheet created by Victor Gevers and Niall Merrigan. They’ve added a sheet about the victims they’ve provided assistance to. For the first 118 victim entries, consider the following:
- Only 13 report that they had recently backed up the now-wiped database; the rest reported no recent backups.
- 7 reported paying the ransom; none of those had gotten their data back.
- 86 of the databases (73%) were production databases, with an additional 11 instances being coded as “staging,” and 4 instances coded as “development.” The remaining were coded as “unknown,” left blank, or had other designations.
Maybe the first 118 cases are an atypical sample of the more than 27,000 that have been hit, but also consider this:
For the 40+ U.S. entries in the sheet, the production databases included:
- a travel organization that issued tickets and stored search and customer data in the database;
- an online advertising firm that stored online ads tracking data;
- a school that stored a student database;
- an Internet app (Social Media) that stored user data;
- a Consumer Services organization that stored customer data;
- an Online Media entity that stored customer data;
- an Online Service (Webshop) that stored orders and customer data; and
- an Online Service (Financial) that stored transaction logs.
Many other U.S. entries were noted as “production” without more specific information entered yet.
And of course, the problem is not confined to U.S. databases. A French healthcare research entity had its database with cancer research data wiped out. They reported no recent backup. And an online financial service in Argentina also had its production database wiped out; that one contained payroll data. They, too, had no recent backup.
As of yesterday, more than 93 terabytes of data had been wiped out.
So should we be concerned about these attacks? I think we should.
But in light of the fact that this is not a new problem, will the Federal Trade Commission consider any enforcement actions against some entities for not using “reasonable security” to protect personally identifiable information? Could the FTC argue that even if they haven’t specifically provided any guidance on MongoDB or other NoSQL databases, the information was out there and entities or their third-party vendors should have known by now?
This post was edited post-publication as it was accidentally posted before completion.