Investigation revealed that ‘digital vandals’ fled empty handed
RSS newsreader NewsBlur was down for 10 hours last week after a criminal hacker attempted – unsuccessfully – to hold its data to ransom.
Founder Samuel Clay says he was in the process of transitioning NewsBlur to Docker, when he received a message claiming that the company’s MongoDB database had been deleted and demanding a BTC 0.03 ransom (around $1,000) for the recovery of 250 GB of data.
It seems that the transition process had circumvented some firewall rules and left the NewsBlur MongoDB database unprotected.
“Turns out the UFW firewall I enabled and diligently kept on a strict allowlist with only my internal servers didn’t work on a new server because of Docker,” says Clay in a blog post.
“When I containerized MongoDB, Docker helpfully inserted an allow rule into iptables, opening up MongoDB to the world.”
What data breach?
Luckily, Clay had retained the original database and was able to take a snapshot and restore the service after a few hours.
He was also able to establish, through examining the amount of data transferred and the access logs, that the hackers were bluffing: no data had actually been leaked.
“This tells us that the hacker was an automated digital vandal rather than a concerted hacking attempt,” he says.
“And if we were to pay the ransom, it wouldn’t do anything because the vandals don’t have the data and have nothing to release.”
Clay says that, ironically, the transfer to a virtual private cloud should help make sure that nothing like this can happen again.
He also plans to use database user authentication on all databases, and tighten up user permissions.