Research carried out by a renowned Cyber Security company, Intruder has revealed that on average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up.
MongoDB database program
MongoDB is a cross-platform document-oriented database program that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organisations all over the globe to store and secure sensitive application and customer data.
There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware.
Honeypots to check on data breaches
Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data.
After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data.
The network traffic was monitored for malicious activity and if password hashes were ex-filtrated and seen crossing the wire, this would indicate that a database was breached.
Countering rising cases of cyber-attacks
Intruder's latest research shows that Mongo databases are subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online.
At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data.
Cyber-threat from unknown global sources
Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP ‘Skynet’ and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.
Chris Wallis, Founder and Chief Executive Officer (CEO) of Intruder stated, “It's quite possible that some of the activity recorded was from security researchers looking for their next headline or data for their breach database. However, when it comes to a company’s security reputation, it often doesn’t matter whether the data is breached by a malicious attacker or a well-meaning researcher.”
He adds, “Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone doing so in less than 9 minutes. Prevention is a much stronger defence than cure.”