MongoDB Apocalypse Is Here as Ransom Attacks Hit 10,000 Servers (opens in new tab)

(bleepingcomputer.com)

21 pointssathishvj9y ago16 comments

16 comments

slau9y ago

The same story on Ars has had a bit more traction (120+ comments).

https://news.ycombinator.com/item?id=13345947

"hackers have now hit around 10,500 MongoDB servers. That's about 25% of all MongoDB databases accessible via the Internet. The attacks don't target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account."

25% of mongodb installs externally accessible lack a fucking password on the admin account.

They deserve it. Maybe it will teach them something.

iagooar9y ago

I agree with you, but to me it is a problem that goes back to the people who made the decision of allowing admin accounts without a password. In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything. They make mistakes. Then there is a huge pool of companies who have poorly skilled devs coming from the Wordpress/Drupal/Prestashop/Etc background who many times don't actually know anything about security.

Then there is the fact that MongoDB is known for having a very bad reputation among software engineers. I could personally write down many horror stories that I experienced myself, plus all the things you get to hear from friends and tech blogs.

Maybe after this attack some companies ban it from their software stacks. I really hope they do so. The world would be a better place without MongoDB.

mdekkers9y ago

> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password.

No. Just.. no.... Security of YOUR system is YOUR responsibility.

> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything.

Hire one.

> Maybe after this attack some companies ban it from their software stacks.

Or maybe decision makers realise that yes, you do need to pay for skills.

1 more reply

sgt1019y ago

Could you please write down your horror stories - I am constantly battling to stop MDB being used at work for a variety of reasons (the main one is architectural consistency to drive down legacy costs) so any ammo is much appreciated.

mdekkers9y ago

> They deserve it. Maybe it will teach them something.

My thoughts exactly.

ubersoldat2k79y ago

So it's a problem that Mongo can't handle dumb ass admins? Yeah Mongo, you suck!

iagooar9y ago

There is a thing in software that is called "sane defaults". Some of the best software tools in existence are a mix of a solid base AND sane defaults. If you have a crappy base and dubious defaults, your software probably sucks.

bdcravens9y ago

Maybe I'm being all "get off my lawn", but I feel this is an almost inevitable result of attitudes about new stacks, the rise of the bootcamper, and hackathons-turned-product. In theory that young hipster developer that fits the mold would be just a junior on the team, and their enthusiam and foolhardiness towards moving fast and breaking things would be tempered by more mature team members and operators. However, I think we're seeing a world where 2013 bootcamp grads are the seniors and the cult of hacking and iterating and breaking things means situations like this will become more common.

johnloeber9y ago

As a young hipster developer, I agree with you 100%. Modern startups have generally been taking an approach that is totally dismissive of long-tail risks such as this one.

I think it is extremely unfortunate that financial incentives are currently stacked against engineering responsibly -- a startup that tries to actually secure a well-built product will need to spend an often unaffordable amount of money or time doing so.

LunaSea9y ago

The OWASP top 10 has barely changed in 20 years and SQL injections were always part of it so bootcamps weren't needed for developers to start inserting security vulnerabilities in their apps.

wonko19y ago

Why do so many MongoDB installation lack a password on the Admin account?

I tried search for me info, but could find anything. Was this the default? Procedure given in a popular tutorial? It seems pretty insane.

HappyTypist9y ago

It was the default for at least a year I think. They changed the defaults, but that didn't impact any existing default configs...

kapauldo9y ago

Is there a tool for checking mongo vulnerabilities?

j / k navigate · click thread line to collapse

16 comments

slau9y ago

The same story on Ars has had a bit more traction (120+ comments).

https://news.ycombinator.com/item?id=13345947

gnarbarian9y ago

25% of mongodb installs externally accessible lack a fucking password on the admin account.

They deserve it. Maybe it will teach them something.

iagooar9y ago

Maybe after this attack some companies ban it from their software stacks. I really hope they do so. The world would be a better place without MongoDB.

mdekkers9y ago

> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password.

No. Just.. no.... Security of YOUR system is YOUR responsibility.

> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything.

Hire one.

> Maybe after this attack some companies ban it from their software stacks.

Or maybe decision makers realise that yes, you do need to pay for skills.

1 more reply

sgt1019y ago

mdekkers9y ago

> They deserve it. Maybe it will teach them something.

My thoughts exactly.

ubersoldat2k79y ago

So it's a problem that Mongo can't handle dumb ass admins? Yeah Mongo, you suck!

iagooar9y ago

bdcravens9y ago

johnloeber9y ago

As a young hipster developer, I agree with you 100%. Modern startups have generally been taking an approach that is totally dismissive of long-tail risks such as this one.

LunaSea9y ago

The OWASP top 10 has barely changed in 20 years and SQL injections were always part of it so bootcamps weren't needed for developers to start inserting security vulnerabilities in their apps.

wonko19y ago

Why do so many MongoDB installation lack a password on the Admin account?

I tried search for me info, but could find anything. Was this the default? Procedure given in a popular tutorial? It seems pretty insane.

HappyTypist9y ago

It was the default for at least a year I think. They changed the defaults, but that didn't impact any existing default configs...

kapauldo9y ago

Is there a tool for checking mongo vulnerabilities?

j / k navigate · click thread line to collapse