Home United States USA — IT MongoDB ransomware attacks sign criminals are going after servers, applications

MongoDB ransomware attacks sign criminals are going after servers, applications

243
0
SHARE

NewsHubThe tremendous success of ransomware infections over the past year showed cybercriminals that holding data for ransom is the key to making money from online attacks. Ransom-based attacks are evolving, and if enterprise defenders aren’t careful, they are going to soon see more ransom notes popping up on their servers, databases, and back-end applications.
Consider last week’s events: After Victor Gevers, a security researcher and founder of GDI Foundation, reported several hundred instances of publicly exposed MongoDB installations had been wiped and held for ransom over the previous two weeks, several other attackers joined in, bumping the number of compromised databases from several hundred to more than 10,000.
The attackers didn’t need to bother with malware to gain access to the database or the information saved within—the door was wide open since these MongoDB installations used the default configuration, which allowed unauthenticated connections via port 27017. These databases were fully accessible from the internet, and anyone connecting via that port had full administrator rights to read, create, update, and delete records.
While compromising a few systems and encrypting the data in large enterprises will continue to be lucrative—healthcare facilities paid out thousands of dollars in 2016 to regain control of their data and systems—attackers are going to change tactics to keep their income stream flowing. Databases, web servers, application servers, enterprise resource planning (ERP) systems, and other enterprise applications all contain valuable information that can disrupt business operations if stolen.
“Attackers are always looking to increase the value of what they steal,” said Jeff Schilling, chief of operations and security at cloud security provider Armor.
It’s a safe bet that even if the enterprise doesn’t use MongoDB, which is widely used in big data and heavy analytics environments, it may be running other servers or applications that are accessible from the internet and vulnerable to attack. Criminals can easily shift their attacks to those servers and applications. Already, last spring, researchers from Cisco’s Talos Security Intelligence and Research Group found that attackers were exploiting vulnerabilities in JBoss application servers to spread SamSam ransomware.
The data contained on those systems don’t have to be something the attacker can sell on the black market—it just needs to be valuable to the owner. It doesn’t matter if the database or back-end system doesn’t have financial data or transactional information. Application source code, personnel files, organization data, and entire application servers are all valuable.
“As long as it’s valuable to someone, attackers can target it for ransomware in order to make a profit,” said Jordan Wright, an R&D engineer at authentication company Duo Security.

Continue reading...