MongoDB Security Incident Post Event Summary, January 23, 2024

Lena Smart
January 23, 2024 | Updated: January 26, 2024

MongoDB first informed customers in an alert posted on December 16, 2023 at 3:00pm EST that it was actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which included exposure of customer account metadata and contact information. MongoDB posted updated information on www.mongodb.com/alerts as we continued to investigate the matter, notifying customers that our investigation was complete and closed in a post on January 3, 2024 at 5:00pm EST.

During the investigation, we were able to confirm that the unauthorized party never had access to any MongoDB clusters – either on-premises or in MongoDB Atlas – and never penetrated the Atlas cluster authentication system. As a reminder, MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems.

On October 6, 2023, at approximately 11:45:00 UTC, a previously unknown flaw in a third-party application used by MongoDB staff enabled an unauthorized party to successfully phish and acquire the Single Sign-On (“SSO”) credentials and a corresponding Time-based One-Time Password (“TOTP”) from a MongoDB employee. The unauthorized party executed an Adversary-in-the-Middle (AitM) attack and used the credentials acquired from the phishing attack to access data in certain corporate applications. As described in our previous alerts and blog, this included access to corporate applications containing certain customer contact information and metadata.

Within twenty-four hours after the initial intrusion on October 6, 2023, MongoDB’s standard session limits kicked in, and the unauthorized party lost access to our corporate applications, except for our corporate messaging application. Between December 12 and December 14, 2023, the unauthorized party used their access to the corporate messaging application to send additional targeted phishing messages to MongoDB employees from the initially compromised user account, which enabled them to regain access to MongoDB corporate applications for a limited time.

On December 14, a MongoDB employee identified the fraudulent phishing messages sent by the unauthorized party in our corporate messaging application and notified the MongoDB security team. The MongoDB security team immediately enacted its incident response plan. MongoDB's investigation focused on determining the timeline of the event, the initial infection vector, and the number of impacted employees. With that information, MongoDB and our third-party forensics firm examined logs for all systems the attacker accessed and used this information to understand the breadth of the event.

MongoDB took the following actions:

  • Disabled the functionality in the third-party application that contained the flaw abused by the unauthorized party;

  • Reset the credentials of all known and suspected compromised user accounts;

  • Cleared active sessions of all known and suspected compromised user accounts;

  • Examined the environment to fully understand the breadth and depth of the unauthorized party’s activity and to extract indicators of compromise; and,

  • On an ongoing basis, we’re continuing to review and harden our security posture, including developing additional monitoring and alerts.

We also strengthened our phishing-resistant, multi-factor authentication policies and continue to reiterate that customers should enforce phishing-resistant MFA, regularly rotate passwords, and remain vigilant for social engineering attacks.

MongoDB’s investigation is complete and closed. Together with our third-party forensic experts, we can confirm that the unauthorized party no longer has access to our environment.

← Previous

趨勢科技借重 MongoDB Atlas服務 搶攻全球端點資安防護商機

打造安全的網路世界 趨勢科技持續投入創新研究 近年駭客發動攻擊頻率比過去高上數倍,對全球各地企業、消費者帶來前所未有的衝擊。面對日新月異的攻擊手法,企業開始加快引進先進防護技術,也讓資安市場競爭更為激烈。資安業者必須持續投入開發新一代的資安防護機制,才能助企業偵測各種未知威脅,以免被市場淘汰。 身為全球資安領導廠商之一的趨勢科技,致力建立一個安全的資訊交換世界,一向致力投入創新資安技術研發和全球威脅趨勢研究,以便為用戶提供符合時代潮流的最佳資安防護方案。目前該公司解決方案已經橫跨雲端、網路、裝置及端點的網路資安平台,能提供各種強大進階威脅防禦技術,可在第一時間偵測與回應威脅,至今已守護全球 50 多萬家企業、2.5億以上的用戶。 挑戰 因應駭客攻擊手法多變 打造以事件驅動的新一代資安機制 善於掌握全球威脅趨勢的趨勢科技,很早就觀察到駭客看準多數企業都將防護重心放在閘道端。駭客會利用社交工程、釣魚郵件等手法,躲避防火牆、IPS 等設備偵測,將攻擊目標鎖定在資安防護力較弱的端點裝置。為此,趨勢科技研發主機入侵防護 (HIPS)技術,將防護延伸至關鍵的平台及實體或虛擬裝置,在修補更新釋出或能夠部署之前,妥善防堵已知及未知的漏洞,達到消除資安風險的目的。 然而,駭客攻擊手法日益進化,加上混合雲成為企業建構資訊架構主流,導致傳統資安防護邊界被打破,訴求「永不信任、時時驗證」的零信任 (Zero Trust) 架構機制,已成為防堵威脅入侵的唯一法門。趨勢科技決定著手打造新一代端點防護機制 - Trend Vision One - Endpoint sensor。 趨勢科技資深軟體工程師紀懷竣說:「Trend Vision One - Endpoint sensor 為 用戶提供全方位的預防、偵測和回應能力,讓資安人員可透過單一平台,更快速阻擋各種惡意攻擊威脅入侵,助企業掌握自身的資安風險。MongoDB Altas 讓我們能快速整合各種端點上的訊息,為全球各地用戶在端點管理上提供更即時的資訊,並藉由與Trend Vision One上的各種防護功能整合,提供用戶更全面的威脅偵測服務,保護企業的重要數位資產。」 趨勢科技軟體工程師羅智晟指出:「為了服務全球客戶,我們很早就將資安服務轉移到多個公有雲平台上,利用不同公有雲業者的各自優勢,為用戶提供最佳的資安防護服務。雖然各家公有雲平台都有 NoSQL 資料庫方案,但 Trend Vision One - Endpoint sensor 是橫跨多個公有雲平台的資安服務,若只選擇其中一家業者的方案,勢必難以在其他公有雲平台上運作。相較之下,MongoDB Atlas 在支援三大公有雲平台之外,也具備 HA、Auto Scaling 等功能,正好符合公司的營運需求,所以最終成為我們的首選方案。」 解決方案 MongoDB Change Streams 功能強大 實踐以事件驅動的端點資訊推播 Trend Vision One 是以零信任架構為核心的資安防護平台,透過 User and Identity、Endpoints and Servers、Email、Cloud Infra,Applications 及 ICT/OT 等服務之間搭配,為用戶提供 Email Security、Endpoint Security、Cloud Security,Network Security 及 OT Security 等防護功能。Trend Vision One - Endpoint sensor 在端點管理上,採取以事件驅動的服務架構,後端一旦收到端點上的資訊或服務模組變動時,系統就會立即將資訊傳送到Trend Vision One的各種服務上,在最短時間內將端點資訊與各項防護進行整合。 過往,趨勢科技端點防護開發團隊在架構設計上,要透過多個技術之間的搭配,才能實踐事件驅動的目標。而研發團隊發現MongoDB Atlas 的MongoDB Change Streams 功能,是專為事件驅動設計的技術,可依照預先設定將資料庫中的各項資料即時變化資訊,立即傳送到指定的應用程式中。如此一來,應用程式可針對單一個資料庫或多個資料庫中的資料變化,進行即時分析與回應,而這正是 Trend Vision One - Endpoint sensor 可提供給客戶的重要功能。特別是從MongoDB Change Streams 7.0開始,取消16mb大小的限制,這項改進預計將擴大此功能的實用性,使其可以應對更多樣化和複雜的數據處理需求。 紀懷竣指出,MongoDB Change Streams 最大優點在於能讓應用程式即時存取資料的變化狀況,免去傳統存取log的複雜、風險等流程。尤其應用程式也能依照需求篩選所需的資料種類,讓分析更為準確、有效率。儘管我們可以利用其他方式實踐事件驅動的目標,但是整體架構設計將需花費更多時間與資源,因此團隊很滿意MongoDB Change Streams 所帶來的效益。 展望未來 善用 Global Cluster 低延遲同時服務全球客戶 趨勢科技使用 MongoDB Atlas 從初期 MongoDB 4.x升級到目前的 MongoDB 6.0,整體服務效能與穩定度提升不少。此外,考量到 Trend Vision One - Endpoint sensor 用戶涵蓋全球各地區及國家,為確保用戶享有最佳體驗,趨勢科技早已透過 MongoDB Atlas Global Cluster 功能,串連美國、歐洲、印度、澳洲、日本、新加坡等地雲端資料中心,為客戶提供7x24小時不間斷的XDR服務。 2022年 ChatGPT 問世,讓全球看到生成式 AI 強大力量,趨勢科技也計畫在 Trend Vision One - Endpoint Security 中融合相關技術。除讓XDR功能更為強大之外,也希望提升開發團隊的工作效率。最新推出的MongoDB Atlas Vector Search 廣泛支援不同主流的大型語言模型框架,因此趨勢科技團隊已在探索最新版本的相關功能,作為日後規劃升級的參考。 「我們透過 MongoDB Atlas Global Cluster 協助,在端點管理上提供更即時的資訊傳送,藉著與Trend Vision One更多資安服務的整合,讓全球各地用戶在第一時間偵測未知威脅與回應,妥善保護企業資訊安全。未來,我們也會評估使用MongoDB Atlas Vector Search功能,提升全文檢索的效益,持續強化 XDR 服務的能量與速度。 」 趨勢科技資深軟體工程師紀懷竣

January 23, 2024
Next →

Building AI With MongoDB: Integrating Vector Search And Cohere to Build Frontier Enterprise Apps

Cohere is the leading enterprise AI platform, building large language models (LLMs) which help businesses unlock the potential of their data. Operating at the frontier of AI, Cohere’s models provide a more intuitive way for users to retrieve, summarize, and generate complex information. Cohere offers both text generation and embedding models to its customers. Enterprises running mission-critical AI workloads select Cohere because its models offer the best performance-cost tradeoff and can be deployed in production at scale. Cohere’s platform is cloud-agnostic. Their models are accessible through their own API as well as popular cloud managed services, and can be deployed on a virtual private cloud (VPC) or even on-prem to meet companies where their data is, offering the highest levels of flexibility and control. Cohere’s leading Embed 3 and Rerank 3 models can be used with MongoDB Atlas Vector Search to convert MongoDB data to vectors and build a state-of-the-art semantic search system. Search results also can be passed to Cohere’s Command R family of models for retrieval augmented generation (RAG) with citations. Check out our AI resource page to learn more about building AI-powered apps with MongoDB. A new approach to vector embeddings It is in the realm of embedding where Cohere has made a host of recent advances. Described as “AI for language understanding,” Embed is Cohere’s leading text representation language model. Cohere offers both English and multilingual embedding models, and gives users the ability to specify the type of data they are computing an embedding for (e.g., search document, search query). The result is embeddings that improve the accuracy of search results for traditional enterprise search or retrieval-augmented generation. One challenge developers faced using Embed was that documents had to be passed one by one to the model endpoint, limiting throughput when dealing with larger data sets. To address that challenge and improve developer experience, Cohere has recently announced its new Embed Jobs endpoint . Now entire data sets can be passed in one operation to the model, and embedded outputs can be more easily ingested back into your storage systems. Additionally, with only a few lines of code, Rerank 3 can be added at the final stage of search systems to improve accuracy. It also works across 100+ languages and offers uniquely high accuracy on complex data such as JSON, code, and tabular structure. This is particularly useful for developers who rely on legacy dense retrieval systems. Demonstrating how developers can exploit this new endpoint, we have published the How to use Cohere embeddings and rerank modules with MongoDB Atlas tutorial . Readers will learn how to store, index, and search the embeddings from Cohere. They will also learn how to use the Cohere Rerank model to provide a powerful semantic boost to the quality of keyword and vector search results. Figure 1: Illustrating the embedding generation and search workflow shown in the tutorial Why MongoDB Atlas and Cohere? MongoDB Atlas provides a proven OLTP database handling high read and write throughput backed by transactional guarantees. Pairing these capabilities with Cohere’s batch embeddings is massively valuable to developers building sophisticated gen AI apps. Developers can be confident that Atlas Vector Search will handle high scale vector ingestion, making embeddings immediately available for accurate and reliable semantic search and RAG. Increasing the speed of experimentation, developers and data scientists can configure separate vector search indexes side by side to compare the performance of different parameters used in the creation of vector embeddings. In addition to batch embeddings, Atlas Triggers can also be used to embed new or updated source content in real time, as illustrated in the Cohere workflow shown in Figure 2. Figure 2: MongoDB Atlas Vector Search supports Cohere’s batch and real time workflows. (Image courtesy of Cohere) Supporting both batch and real-time embeddings from Cohere makes MongoDB Atlas well suited to highly dynamic gen AI-powered apps that need to be grounded in live, operational data. Developers can use MongoDB’s expressive query API to pre-filter query predicates against metadata, making it much faster to access and retrieve the more relevant vector embeddings. The unification and synchronization of source application data, metadata, and vector embeddings in a single platform, accessed by a single API, makes building gen AI apps faster, with lower cost and complexity. Those apps can be layered on top of the secure, resilient, and mature MongoDB Atlas developer data platform that is used today by over 45,000 customers spanning startups to enterprises and governments handling mission-critical workloads. What's next? To start your journey into gen AI and Atlas Vector Search, review our 10-minute Learning Byte . In the video, you’ll learn about use cases, benefits, and how to get started using Atlas Vector Search.

April 25, 2024