MongoDB Apocalypse Is Here as Ransom Attacks Hit 10,000 Servers

Is this quote from the article sensationalism or should I be concerned:

In a couple of weeks, it is reasonable to expect that all MongoDB servers exposed to the Internet will lose their data and have their content replaced with a ransom demand.

Is your MongoDB instance exposed to the internet without authentication? If so it’s probably too late…

EDIT: To expand on that, you’re ok if:

  • Your MongoDB instance is listening on localhost or a private network only (I think by default it will accept connections from any IP, assuming the server has a public IP). Note that private network in the Digital Ocean/Linode sense is private to the datacenter, not private to your account, so you’ll still need authentication in that case. Amazon VPC networks should be fine, but again you need to check which IPs Mongo is listening on. Either way authentication is another layer of security that’s worth having even if you think nobody else can access the server.

  • Your MongoDB instance is protected with authentication (preferably with TLS (SSL) enabled). Check you can’t bypass the username and password. It’s really important to have a strong username and password combo if your server is listening on a public IP, scanning tools will find the server with ease so it’s also worth setting up IP whitelisting using a firewall, and use something like Fail2Ban to prevent brute force attacks.

  • You’re using Compose/MongoDB Atlas etc. because this will all be handled for you. Note that Compose’s legacy MongoDB offering doesn’t have SSL enabled so isn’t as secure as the newer deployments or Atlas. Atlas also offers encryption at rest via encrypted EBS volumes, and forces you to whitelist IP addresses for extra security, but I think this can be automated with their API if necessary (e.g. if you’re spinning up new servers on a regular basis).


Well, your question is more qualified than the quote that I asked about:

reasonable to expect that all MongoDB servers exposed to the Internet

Emphasis mine. I’m on my phone and on the go and don’t have time to research if is this is just bad journalism.

But your question suggests I needn’t be concerned since my databases have authentication.

Oh I see, yeah I think just shoddy journalism. It does also say

The attacks don’t target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account.

Which matches my understanding of the issue.

I guess the thing to bear in mind if running your own server, even with authentication, is whether you have any monitoring of login attempts because if your server is on the public internet, someone may well try to brute force their way in. We’re using Compose at the moment (looking to move to MongoDB Atlas) so we have to trust that they’ve got that covered. We use extremely long passwords just in case :slight_smile: