Research carried out by a renowned Cyber Security company, Intruder has revealed that on average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up.

MongoDB database program

MongoDB is a cross-platform document-oriented database program that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organisations all over the globe to store and secure sensitive application and customer data.

There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware.

Honeypots to check on data breaches

Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data.

After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data.

The network traffic was monitored for malicious activity and if password hashes were ex-filtrated and seen crossing the wire, this would indicate that a database was breached.

Countering rising cases of cyber-attacks

Intruder's latest research shows that Mongo databases are subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online.

At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data.

Cyber-threat from unknown global sources

Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP ‘Skynet’ and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.

Chris Wallis, Founder and Chief Executive Officer (CEO) of Intruder stated, “It's quite possible that some of the activity recorded was from security researchers looking for their next headline or data for their breach database. However, when it comes to a company’s security reputation, it often doesn’t matter whether the data is breached by a malicious attacker or a well-meaning researcher.

He adds, “Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone doing so in less than 9 minutes. Prevention is a much stronger defence than cure.

Download PDF version Download PDF version

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?