 |
Thousands of companies (and their clients), in danger after a massive attack of ' ransomware '
|
MongoDB
is a company that will be unknown to most readers, but companies like
Telefónica, Amazon and Vodafone rely on it to save their databases. Now,
all the information stored through this free and open source system is
in jeopardy: a series of ' ransomware ' attacks has already affected
27,000 of its servers, a quarter of the total. The attackers have taken
advantage of a bad configuration to hijack the data — sometimes them
during the process — and request up to $500 of ransom.
It
all started on December 21st, when Victor Gevers, a ' hacker ' of the
GDI Foundation — whose goal is to ensure Internet security —, he
discovered with his partner Niall Merrigan the first case. A financial
institution had lost all the information in its database, and there was
only one message left: "Send 0.2 bitcoins [about 170 euros] to retrieve
your data". The problem was only beginning and at the moment the number
of databases affected already grazed the 30,000.
"More
than 100 terabytes of information have been cleaned up for several
years," explains Teknautas Gevers, who has been warning of danger for
some time. Administrations, retailers, financial and research data,
medical files, technology industry, online games, user accounts,
intellectual property, dating websites ... "MongoDB is everywhere." But
not all of its bases are in jeopardy: the founder of the Spanish
community of passionate about this system, César Trigo, ensures that
only those data banks that are not secured by default — without password
— are vulnerable.
Have created ' scripts ' with which they connect to databases, make a copy, erase it, and hijack the information
MongoDB
has paid and other free products. It is the latter that lack security
by default and are therefore exposed to attacks. "In Spain there are 405
databases that could be attacked in a few minutes," says Gevers. Around
the world the number rises to 65,000 databases.
Wheat
summarizes how little MongoDB has shared so far on the ' hack '. It all
started with a first attacker, probably just one person: "Right now
there are three, you don't know if groups or people." "For simplicity
they look like individuals, but they're trying to recruit more people."
Through the Shodan service, capable of searching for connected devices,
they find those databases unprotected.
The
number of attacks implies an automation in the process: "They have
created scripts" with which they connect to databases, make a copy,
delete it, and hijack the information. They also send an email asking
for about 170 euros. Wheat adds that right now there is a battle between
the attackers: some companies pay the ransom, retrieve the data, and
then another ' hacker ' steals them again.
"We
have no evidence that all victims are going to retrieve their data,"
laments gevers. The technical manager of the security company Enigmedia,
Carlos Tomás, blames customers who have not properly configured the
system, but especially MongoDB: "Manufacturers have to get used to the
default configurations are not insecure."
The threat continues (and has a difficult solution)
"They
have no way to stop it." The ' software ' is installed on the final
client and although MongoDB removed an update to change those settings
by default, it would be the user who would have to install them, says
Tomás. Once the information is stolen, the only salvation is that there
are backups, although many companies do not do the right maintenance.
According
to wheat, the main problem is that it has not been able to stop this
massive attack, still under investigation. The expert recommends to
review the last accesses to the infrastructures and increase the
frequency of the backups. MongoDB, for its part, has recalled its
guidelines to ensure protection and mitigate damage. Meanwhile,
thousands of databases are still in jeopardy.
0 comentarios: