Active Exploitation of Database Services using Default Installation Configurations

Number: AL17-001
Date: 06 January 2017

Purpose

The purpose of this alert is to bring attention to the active exploitation of database services through default installation configurations.

Assessment

CCIRC is aware of malicious attackers leveraging knowledge of default installation configurations for database services.  Open source news articles have indicated that these actors have been observed scanning for and accessing MongoDB installations with default configurations, exporting the data to their host, wiping the contents from the database, then holding the data for ransom.

With default installation configurations, several database software packages are easily susceptible to this type of exploitation and attack as they either do not require any authentication (ex. MongoDB), or they employ publicly available default credentials.

Suggested action

CCIRC strongly discourages the paying of any ransom.  Paying a ransom does not guarantee you will get your data back and it encourages further criminal activity.

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

• Enable access control and require authentication (with a robust password policy).
• Limit network exposure to what is minimally necessary (ex. trusted hosts/interfaces).
• Employ a data backup policy.
• Deploy security solutions as applicable.
• Ensure systems are patched and updated.

Several developers/vendors of database software packages provide software specific security documents (ex. best practices, checklists, guides, manuals, etc.) which should be reviewed and actioned as deemed required.

References

MongoDB Security Checklist:
https://docs.mongodb.com/manual/administration/security-checklist/

News: Number of Hijacked MongoDB Databases Is Going Up as More Hackers Are Flocking In
https://www.bleepingcomputer.com/news/security/number-of-hijacked-mongodb-databases-is-going-up-as-more-hackers-are-flocking-in/

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: