As we begin 2017, there’s a sense of renewal and tabula rasa that comes with the start of a new calendar year. That optimistic sense of clarity going forward was short lived for many security architects and engineers as two massive vulnerabilities were published before we were even one week into January. As the old saying goes, crime doesn’t take a day off.
What is ransomware?
Ransomware is a term that defines a piece of malicious software that encrypts your data and holds it ransom. The malware instructs the user to pay a specified amount of Bitcoin, the popular cryptocurrency that is near impossible to trace, and upon receiving the payment, the malware’s author provides you with the key to decrypt your data. If you don’t comply with their demands, your data is lost forever.
These types of attacks affect both home users and businesses. They first started to prey on the elderly and those who weren’t sufficiently tech-savvy. The success rate of these scams was rather high so they started to target businesses and asked for larger amounts of Bitcoins. Organizations that were hit with these attacks were often advised to pay the ransoms as even organizations like the FBI did not possess the technology to track down the criminals or to decrypt the data that had been compromised. Law enforcement themselves have been victims. In 2013, the Massachusetts’ Swansea Police Department paid 2 Bitcoins (worth $750 USD at the time) when all of their Word documents and image files were encrypted by the CrytpoLocker ransomware.
The big debate about how to handle these types of attacks is, to pay or not to pay. The ransomware can be programmed to include a self-destruct timer that gives the victim only a certain amount of time to pay the ransom, further putting pressure on the situation. With no assistance from law enforcement, you are left with two options, pay up or lose your data. In the past, the ransoms have been in amounts that both home users and organizations could afford, or their data wasn’t important enough to save and they simply wiped their systems clean. A new ransomware, however, has raised the stakes by demanding 222 Bitcoins for the decryption key. At the current prices, 1 Bitcoin is equal to $882.26 USD. That means the victim would have to pay upwards of $190,000 USD to decrypt their data, with absolutely no guarantee that the attacker will follow through and provide the key.
What is KillDisk?
KillDisk is a ransomware that was originally used to sabotage companies by randomly deleting files from their servers and workstations. It has been associated with the Black Energy malware that was used to damage multiple Ukrainian power stations in 2015 which caused thousands of people to lose power to their homes and businesses. This malware has two variants: a Linux version and a Windows version.
The Linux version operates in a way not previously seen in ransomware. Researchers at ESET Security discovered that KillDisk will encrypt the drives using Triple-DES 4096-byte file blocks for every single file on the computer, and each of these is encrypted using a different set of 64-bit encryption keys. Furthermore, the key to decrypt the files is not stored anywhere on disk, nor is it found via command-and-control server. So even if you do pay the outrageously high ransom, the chance that you’re going to get your data back is 0%. ESET did report that there is a weakness in the way the encryption is applied in the attack and that data-recovery without the encryption key is possible, though difficult.
You can read more about ESET’s research here.
New vulnerability affecting MongoDB
But the unpleasantness doesn’t stop there. A wider attack that affects thousands of MongoDB instances has been discovered. The instances themselves are unsecured and researchers have been kind enough to try and send breach notifications to any organizations that they’ve found affected.
The malware which has yet to been given a nickname requests the user to send 0.2 Bitcoins, a far smaller ransom in comparison to KillDisk. Researchers have found evidence that the attack has been around since December 20, 2016. What shocked researchers most of all was the sheer volume of insecure instances that contained sensitive data.
In one example, Victor Gevers, chairman of GDI.foundation posted a tweet that read, “853,761,356,947 records with metadata of recorded mobile phone calls in an open MongoDB, I had to blink twice to read the total amount” while doing research on insecure instances of MongoDB. Gevers and other researchers are keeping an active spreadsheet of the affected instances available here. As of January 12, the number of affected MongoDB instances has grown past 34,000.
Prevention is the only way to secure your environment and researcher John Matherly showed that many people do not bother to secure their instances of MongoDB. The top 10 database names from most used to least used include the following:
• local (41,180)
• admin (24,907)
• test (6,443)
• WARNING (1,853)
• db (1,791)
• * (850)
• mta_controller (823)
• mydb (762)
• dev (451)
• catalog (424)
These names and instances were found using a freely available tool called Shodan. Shodan is a search engine that locates devices and IP’s that are connected to the internet. You can find out useful information such as if a Telnet port is open, what services a server might be running, and you can even find open instances of people using VNC and log right into their workstations.
If reading that put the fear of the unknown into you, good. It should.
Implementing the absolute minimal configurations on servers that are going to be handling sensitive client data or company assets need to have the proper oversight to ensure a bored script kiddie doesn’t find your company’s database on Shodan and decides to snoop around. Vivek Gite wrote an excellent blog article on how to secure your MongoDB servers on Linux/Unix systems. I highly recommend giving it to your database admins to ensure your instances aren’t among the tens of thousands that are currently compromised.
Is your information secure?
While writing this blog, it was brought to my attention that there’s yet another ransomware out there that’s targeting Elasticsearch deployments. The same researchers who have been keeping track of the MongoDB ransomware have reported that over 600 Elasticsearch clusters have been compromised. This is troubling as Elasticsearch experts say there’s no reason for these clusters to be exposed to the open internet, once again showing that improper implementation can cause vulnerabilities such as this. Just like the ransomware requesting 222 Bitcoins, this ransomware shows no evidence that the database is backed up and will be available once you pay the ransom.
The take away from this article, as with many articles on security is, take the time to make sure your infrastructure is set up and secured properly. Never use default names and passwords, use high levels of encryption, and keep your application infrastructure up to date, and ransomware won’t be an issue. Email is still the most common gateway for malware and attacks to come from, so brushing up on your organizations’ email policies never hurts either.
And as always, Rogue Wave Open Source Support is here to help should you need assistance with upgrading your infrastructure and maintaining your open source products.