Last year, thousands of MongoDB instances were hacked, and their contents ransomed for a small sum in bitcoin. This episode wasn’t just a troubling reminder that people are terrible at securing the things they expose to the Internet, but a demonstration that ransomware developers were shifting their focus from systems to services.
Could another big data ransomware nightmare be on the horizon? Perhaps. Shodan, which develops the “search engine for computers,” just published an interesting article that suggests the bad practices that resulted in MongoDB systems getting pwned are still prevalent.
According to Shodan-founder John Matherley, there are 4,487 HDFS (Hadoop Distributed File System) servers connected to the public Internet, but which lack basic authentication. While that is less than the total number of vulnerable MongoDB instances (47,820 to 4,487), the HDFS instances contain vastly more data (25 TB to 5,120 TB).
Matherley points out that the ransomware attacks against MongoDB and HDFS are still occurring. Shodan has identified 212 HDFS clusters believed to have been hacked. Thankfully, this time around, no damage was done. The intruder simply left a message as a warning, saying “NODATA4U_SECUREYOURSHIT.”
But it could have been a lot worse, especially when you consider that HDFS is used in some pretty mission-critical applications, like finance and search. It’s not like MongoDB, which people seemingly use because they’re too trendy to use MariaDB.
You can read the post from Matherley here. It also comes with a proof-of-concept program, allowing you to double-check his findings, as well as further information on where the majority of vulnerable HDFS instances are.