Sign up for our newsletter
Technology / Cybersecurity

Nearly 30,000 MongoDB servers held captive in ransomware attacks – and ElasticSearch is just as bad

Ransomware has been hitting the headlines in early 2017, with high-profile attacks on MongoDB, ElasticSearch, Hadoop and CouchDB installations sweeping the internet. However, only now, has research revealed the true extent of the attacks.

Rapid7 ran a ‘devops-ish’ investigation using Project Sonar, the security firm’s security research project which runs internet-wide surveys across different services and protocols. Though some subnets choose to block Rapid7, the firm conducted a scan of internet subnets and found:

56,000 MongoDB servers
18,000 ElasticSearch servers
4,500 CouchDB servers

The investigation found that a huge 58% of ElasticSearch servers were held captive, with MongoDB racking up a similar number with 50% compromised. 10% of CouchDB servers were ransomed.

mongodb ransomwareelasticsearch ransomware

White papers from our partners

couchdb ransomwareA large percentage of the databases scanned were found to run in the cloud, a fact which was somewhat unsurprising and one which saw Amazon as the top hosting provider for all three databases. Explaining why attackers are targeting these databases, Bob Rudis, writing on the Rapid7 blog, said:

“The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation  exploration. Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that — if you’re not careful — you’ll be exposing real data to the world if you deploy them the same way on the internet.”

The security firm advises those running the databases to check configuration, ensuring that at the very least authentication is enabled and that rudimentary network security groups are configured to limit access. Rapid7 also advised the use of automation, seeing as most of the databases are deployed in the cloud.

“It’s also wise to configure your development and testing environments the same way you do production (hey, you’re the one who wanted to play with devops-ian technologies so why not go full monty?),” said Rudis.

“You should also configure your monitoring services and vulnerability management program to identify and alert if your internet-facing systems are exposing an insecure configuration. Even the best shops make deployment mistakes on occasion.”


A possible 10,000 Hadoop Distributed File System installations were thought to be captive in previous reports – read more here

This article is from the CBROnline archive: some formatting and images may not be present.