Intruder finds Mongo databases breached within 13 hours of exposure
July 2020 by Intruder
Research carried out by cybersecurity company Intruder has revealed that on average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up.
MongoDB is a cross-platform document-oriented database program that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organisations all over the globe to store and secure sensitive application and customer data. There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware.
After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data. The network traffic was monitored for malicious activity and if password hashes were exfiltrated and seen crossing the wire, this would indicate that a database was breached.
Intruder’s latest research shows that Mongo databases are subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online.
At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data. Where did the attacks come from?
Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP ‘Skynet’ and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.
Chris Wallis, Founder and CEO of Intruder said: “It’s quite possible that some of the activity recorded was from security researchers looking for their next headline or data for their breach database. However, when it comes to a company’s security reputation, it often doesn’t matter whether the data is breached by a malicious attacker or a well-meaning researcher. “Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone in under 9 minutes. Prevention is a much stronger defence than cure.”