A hacker uploaded a ransom note to around 22,900 MongoDB databases that can be accessed unprotected via the Internet. The number corresponds to around 47 percent of the MongoDB databases accessible on the Internet. The hacker threatens operators who do not want to bow to the extortion attempt to report them to data protection authorities.
However, the hacker is not satisfied with this threat. In order to emphasize his claim about 0.015 Bitcoin (around EUR 123), he also deletes the content of the databases. He also claims to have copies of the data that he will publish if necessary. The database operators should meet his demands within two days.
Such ransom notes were first discovered in early April 2020. According to security researcher Victor Gevers from the GDI Foundation, the hacker initially did not delete the data of his victims. However, this was a mistake, triggered by an error in a script used in the attacks. The bug had been removed at the beginning of the week, so that the databases would now actually be deleted. “Everything is gone. Really everything, ”said Gevers in an interview with ZDNet USA.
Some of the unsecured databases were, according to the researcher, test instances. Others were used productively, so that work data was deleted here.
As part of his work at GDI Foundation, Gevers informs companies about vulnerable servers. When he checked MongoDB systems yesterday, he found only one data leak, instead of the expected five to ten. He became aware of the deletion routine activated by the hacker.
However, the strategy of flushing databases to ransom money is not new. According to Gevers, cybercriminals have been chasing her since late 2016. In attacks in January 2017, more than 28,000 servers were blackmailed. Another 26,000 followed in September 2017 and another 3,000 in February 2019.
MongoDB itself made faulty configurations responsible for this in 2017. Operators failed to protect their databases with passwords and a firewall.
Little seems to have changed in three years. The number of unprotected MongoDB servers has shrunk from 60,000 to 48,000 at the beginning of 2017. However, MongoDB setups available from the factory include the required security settings. Administrators should consult MongoDB’s security settings guide to review their current configuration.
Webinar: Network security and network monitoring in the new normal
The Gigamon Visibility Platform is the catalyst for the fast and optimized provision of data traffic for security tools, network performance and application performance monitoring. Find out in this webinar how Gigamon solutions can increase the efficiency of your security architecture and save costs.