MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-644.012017: MyCERT Alert – Ransomware Targeting MongoDB and Elasticsearch Default Installation without Authentication
Date first published: 19/1/2017
1st revision: 25/1/2017

1.0    Introduction

MyCERT received information regarding unavailability of security authentication in default MongoDB and Elasticsearch installation, thus making it potential to vulnerability and threats. Based on our analysis, we are aware that there are 48 deployment of default MongoDB installation without authentication in Malaysia. Out of it, 22 IPs are infected with ransomware. We are also aware that there are 15 deployments of default Elasticsearch installation without authentication in Malaysia. Out of it, 2 IPs are infected with ransomware.


2.0 Affected Products

All MongoDB and Elasticsearch versions with default installation without authentication.


3.0 Impact

Due to unavailability of security authentication in default installation, attackers are able to infect the server with ransomware and restrict users from accessing the data. Figure below is a screenshot from an infected server:

Figure 1: Ransom note on compromised MongoDB.


Figure 2: Ransom note on compromised Elasticsearch.

Based on the above figure, there is ransom note left by the attacker instructing the victim to transfer some Bitcoins to the attacker.

4.0 Modus Operandi (MO)

a. MongoDB
  •     Target web-exposed MongoDB installs that has no password
  •     Data is cloned, deleted and encrypted
  •     Demand ransom

b. Elasticsearch
  •     Target web-exposed installs that has no password
  •     Data is cloned, deleted and encrypted
  •     Demand ransom

5.0 Recommendations
  • MyCERT highly recommends users of this application to enable security authentication, strengthen the password and restrict access to the MongoDB and Elasticsearch service. Kindly refer to our advisory available at this URL: https://www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1244/index.html
  • Enable security authentication and restrict access to the MongoDB and Elasticsearch service.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine the necessary updates that should be in place.

For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users

5.0    References
•    https://www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1244/index.html
•    https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
•    https://docs.mongodb.com/manual/tutorial/enable-authentication/
•    https://www.elastic.co/blog/found-elasticsearch-security
•    https://www.elastic.co/guide/en/x-pack/current/xpack-security.html