In recent weeks Bitcoin has risen to prices not seen since late 2013. Coincidently, there have been a number of ongoing attacks targeting insecure deployments of various open source database technologies (such as Mongo DB) . Is there a connection?
Hacking groups are leveraging open source intelligence techniques (that is, intelligence collected from publicly available sources, not related to open source software) to identify targets and then either copy, destroy or encrypt data. From the victim’s standpoint, they’re left with a database containing nothing except ransom instructions – usually in the form of Bitcoin payment – with no guarantee of restoration of their data.
Not only are these deployments being exploited in the wild but various toolkits specifically designed to programmatically target and acquire weak deployments are being sold online. Tools such as SHODAN demonstrate a target-rich environment of vulnerable databases.
Experience NOT Required
While we should always assume that experienced hackers are a threat, advanced skills are not a prerequisite for these attacks. Given the accessibility of toolkits, target intelligence and ease of exploitation, the range of actors capable of the attacks is expanding. Non-targeted attacks, those based on opportunism instead of a specific agenda, will become more prevalent, motivated solely by monetary gain.
It’s Not Always About Coding Errors
The latest spate of ransomware attacks on MongoDB and other open source databases are not due to insecure technologies or an insecure development process. Instead, attackers are exploiting human error - weak security configurations of the database during integration and deployment.
MongoDB and similar free and open source databases offer several engineering advantages, including higher throughput, scalability and agility, which align themselves well with the increasing demands of agile development. Similar to traditional database technologies, these systems need to be configured securely to ensure data privacy.
The increasing demand for rapid feature delivery and tighter deadlines results in security being de-prioritized or becoming a task for tomorrow. As I have found in various scenarios, culture plays a fundamental role in maintaining a proactive security posture. Security awareness should be a core aspect of development and not something to be reviewed at a later date.
Thankfully, a number of FOSS databases have responded to these attacks, adopting a “secure by default” stance. This enables security features by default and improves awareness around implementation of product features designed to protect and secure confidential data.
Security Isn’t Accidental
Security is cultural. It needs to be driven from management downwards and to be seen as a necessity instead of an afterthought or speed-bump in the way of progress.
Secure by default should be adopted by every piece of software, both FOSS and closed source. Regular backups should be mandatory when dealing with production data. Secure coding is only one part of the equation. Security requires a full-time security mindset.