Ransomware recently struck some unsecured MongoDB installations and held the data to ransom. Here, we will introduce MongoDB and examine some steps you can take to secure and protect its database.
What is MongoDB
MongoDB is an open source database that stores data using a flexible document data model. MongoDB differs from traditional databases which are built using tables and rows, whereas, MongoDB uses an architecture of collections and documents.
Following a dynamic schema design, MongoDB allows the documents in a collection to have different fields and structures. The database uses a document storage and data interchange format called BSON, which provides a binary representation of JSON-like documents. This makes data integration for certain types of applications faster and easier.
Read: How to install MongoDB on Windows 11
Ransomware attacks MongoDB data
There have been a string of Ransomware attacks on poorly secured MongoDB installations.
A few years back, a security expert Victor Gevers discovered 200 MongoDB installations which were attacked and held for ransom. However, soon the infected installations had soared to 2000 DBs as reported by another security researcher, Shodan Founder John Matherly. Initial reports then suggested, that attackers were demanding 1 Bitcoins as ransom.
More hackers are doing the same—accessing, copying, and deleting badly configured databases for Ransom.
How does the MongoDB Ransomware sneak in
MongoDB servers which are accessible via the internet without a password have been the ones who are targeted by the hackers. Hence, Server Administrators who chose to run their servers without a password and employed default usernames were easily spotted by the hackers.
What’s worse, there are instances of the same server being re-hacked by different hacker groups who have been replacing existing ransom notes with their own, making it impossible for victims to know if they’re even paying the right criminal, let alone whether their data can be recovered. Therefore, there is no certainty if any of the stolen data will be returned. Hence, even if you paid the ransom, your data may still be gone.
MongoDB security
It’s a must that Server Administrators must assign a strong password and username for accessing the database. Companies using the default installation of MongoDB are also advised to update their software, set up authentication and lock down port 27017 which has been targeted the most by the hackers.
Steps to protect your MongoDB data
- Enforce Access Control and Authentication
Start by Enabling access control of your server and specify the authentication mechanism. Authentication requires that all users provide valid credentials before they can connect to the server.
The latest MongoDB 3.4 release enables you to configure authentication to an unprotected system without incurring downtime.
- Setup Role-Based Access Control
Rather than providing full access to a set of users, create roles that define the exact access a set of users’ needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations.
- Encrypt Communication
Encrypted data is difficult to interpret, and not many hackers can decrypt it successfully. Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between the MongoDB client’s Mongod and Mongos components and between all applications and MongoDB.
Using MongoDB Enterprise 3.2, the WiredTiger storage engine’s native Encryption at Rest can be configured to encrypt data in the storage layer. If you are not using WiredTiger’s encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption.
- Limit Network Exposure
To Limit Network exposure ensure that MongoDB runs in a trusted network environment. Admins should only allow trusted clients to access the network interfaces and ports where MongoDB instances are available.
- Backup your data
MongoDB Cloud Manager and MongoDB Ops Manager provide continuous backup with point in time recovery, and users can enable alerts in Cloud Manager to detect if their deployment is internet exposed
- Audit System Activity
Auditing systems periodically will ensure that you are aware of any irregular changes to your database. Track access to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events on a MongoDB instance.
- Run MongoDB with a Dedicated User
Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.
- Run MongoDB with Secure Configuration Options
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, and $where. If you do not use these operations, disable server-side scripting by using the --noscripting option on the command line.
Use only the MongoDB wire protocol on production deployments. Keep input validation enabled. MongoDB enables input validation by default through the wireObjectCheck setting. This ensures that all documents stored by the mongod instance are valid BSON.
- Request a Security Technical Implementation Guide (where applicable)
The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request, for situations where it is required. You can request a copy for more information.
- Consider Security Standards Compliance
For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture here to learn more about how you can use the key security capabilities to build compliant application infrastructure.
How to find out if your MongoDB installation is hacked
- Verify your databases and collections. The hackers usually drop databases and collections and replace them with a new one while demanding a ransom for the original
- If access control is enabled, audit the system logs to find out for unauthorized access attempts or suspicious activity. Look for commands that dropped your data, modified users, or created the ransom demand record.
Please note that even after you pay the ransom, your data will not be guaranteed to be returned. Hence, after the attack, your first priority should be securing your cluster(s) to prevent further unauthorized access.
How do I protect my MongoDB database?
Several things you can do to protect your MongoDB database, and some of the tips and tricks are mentioned in this article. For example, you can enforce access control and authentication, configure role-based access control, encrypt your communications, set a limit for network exposure, etc. Apart from these, it is recommended that you continuously backup your data so that you can always be on the safe side.
Is MongoDB a secure database?
Yes, MongoDB is a secure database that you can use for almost any purpose. It is a great alternative to Apache, DynamoDB, Redis, etc. Talking about security, you can use it to get things done for your projects. It takes several security measures to make things secure and safe for the users.
If you take backups, when you restore the most recent version, you can evaluate what data may have changed between the most recent backup and the time of the attack. For more, visit mongodb.com.
