One the major security news stories of 2017 was of a ransomware alternative targeting improperly secured MongoDB Database instances.
Here it is in a nutshell: some users of MongoDB by mistake left their databases bare to the internet without any authentication. Predictably, some online ne’er-do-wells determined to take advantage of this, stealing and deleting databases, before leaving a ransom note challenging a small fortune in Bitcoin for safely return of the data.
Fortunately, that won’t be an issue any more, as of MongoDB 3.6. Speaking at MongoDB Europe conference, company founder and CTO Eliot Horowitz explained that MongoDB will no longer move towards with an unsafe configuration elsewhere of the box.
“MongoDB 3.6, localhost only is enabled by default. If you start MongoDB, you have to explicitly turn on networking. If you don’t clearly turn it on, then entire method of doing ransomware goes away,” he said.
But what happens next is when you connect your instance to the internet? “If you explicitly turn it on, but don’t turn on authentication, we can’t help you at that point. But you have to intentionally do that, and we’d expect that people think about it a little,” Horowitz explained.
In response to this junk of hackings, MongoDB Inc, the developers of MongoDB, have released an updated conduct to MongoDB security, with an importance on militating against these ransomware-inspired attacks.
While it’s too late for the 10,500 servers that have already been infected, it will hopefully prevent anyone else falling victim to it.
For those that have previously either paid up, or have lost their data completely, it’s tough luck. But for novices to MongoDB, the extra protections in MongoDB 3.6 will perhaps protect them from some nasty headaches. Releases of the latest version of MongoDB have already been floated. The final release is expected at some point in December.