MongoDB Apocalypse Is Here as Ransom Attacks Hit 10,000 Servers
bleepingcomputer.comThe same story on Ars has had a bit more traction (120+ comments).
"hackers have now hit around 10,500 MongoDB servers. That's about 25% of all MongoDB databases accessible via the Internet. The attacks don't target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account."
25% of mongodb installs externally accessible lack a fucking password on the admin account.
They deserve it. Maybe it will teach them something.
I agree with you, but to me it is a problem that goes back to the people who made the decision of allowing admin accounts without a password. In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything. They make mistakes. Then there is a huge pool of companies who have poorly skilled devs coming from the Wordpress/Drupal/Prestashop/Etc background who many times don't actually know anything about security.
Then there is the fact that MongoDB is known for having a very bad reputation among software engineers. I could personally write down many horror stories that I experienced myself, plus all the things you get to hear from friends and tech blogs.
Maybe after this attack some companies ban it from their software stacks. I really hope they do so. The world would be a better place without MongoDB.
> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password.
No. Just.. no.... Security of YOUR system is YOUR responsibility.
> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything.
Hire one.
> Maybe after this attack some companies ban it from their software stacks.
Or maybe decision makers realise that yes, you do need to pay for skills.
>> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password. > No. Just.. no.... Security of YOUR system is YOUR responsibility.
I agree. But what you are saying has nothing to do with whether a database should have sane defaults or not.
>> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything. > Hire one.
You seem not to know much about the real world out there. Companies are struggling A LOT to find ANY people at all.
>> Maybe after this attack some companies ban it from their software stacks. > Or maybe decision makers realise that yes, you do need to pay for skills.
More money is not going to magically increase the pool of skilled software engineers around the world. If all the companies in the world increased what they pay, nothing would change, besides the fact that they would spend more money.
> [...] sane defaults [...]
Defaults - sane or not - lead to exactly these types of situations. It encourages "it's good enough" thinking, and dilutes the feeling of responsibility.
> You seem not to know much about the real world out there.
yeah, yeah... yawn.
> Companies are struggling A LOT to find ANY people at all.
Uhm, not companies that are willing to pay good money for good devs/devops/sysadmins.
> More money is not going to magically increase the pool of skilled software engineers around the world.
I would argue that it is the software developers' job to develop software. It would be a sysadmin/devops type person to look after the infrastructure, and make sure it is properly secured. I see so many job ads for a single role (developer, engineer, CTO, whatever) and then a jobdescription for "must be able to do everything related to any aspect of all our IT". Hilarious.
Could you please write down your horror stories - I am constantly battling to stop MDB being used at work for a variety of reasons (the main one is architectural consistency to drive down legacy costs) so any ammo is much appreciated.
> They deserve it. Maybe it will teach them something.
My thoughts exactly.
So it's a problem that Mongo can't handle dumb ass admins? Yeah Mongo, you suck!
There is a thing in software that is called "sane defaults". Some of the best software tools in existence are a mix of a solid base AND sane defaults. If you have a crappy base and dubious defaults, your software probably sucks.
Maybe I'm being all "get off my lawn", but I feel this is an almost inevitable result of attitudes about new stacks, the rise of the bootcamper, and hackathons-turned-product. In theory that young hipster developer that fits the mold would be just a junior on the team, and their enthusiam and foolhardiness towards moving fast and breaking things would be tempered by more mature team members and operators. However, I think we're seeing a world where 2013 bootcamp grads are the seniors and the cult of hacking and iterating and breaking things means situations like this will become more common.
As a young hipster developer, I agree with you 100%. Modern startups have generally been taking an approach that is totally dismissive of long-tail risks such as this one.
I think it is extremely unfortunate that financial incentives are currently stacked against engineering responsibly -- a startup that tries to actually secure a well-built product will need to spend an often unaffordable amount of money or time doing so.
The OWASP top 10 has barely changed in 20 years and SQL injections were always part of it so bootcamps weren't needed for developers to start inserting security vulnerabilities in their apps.
Why do so many MongoDB installation lack a password on the Admin account?
I tried search for me info, but could find anything. Was this the default? Procedure given in a popular tutorial? It seems pretty insane.
It was the default for at least a year I think. They changed the defaults, but that didn't impact any existing default configs...
Is there a tool for checking mongo vulnerabilities?