Attacker Holds MongoDB Databases to Ransom

Written by

A cyber-attacker going by the name Harak1r1 has been using ransomware to hijack unprotected MongoDB databases, locking down and replacing content before asking for Bitcoin to return the data, a security researcher has revealed.

Victor Gevers, co-founder of the GDI Foundation (a non-profit dedicated to making the internet safer), has spent the last 18 years carrying out security research and has made more than 5200 responsible disclosures in his time, including searching for unprotected MongoDB servers and warning companies of their risky status. 

On 27 December Gevers stumbled across a MongoDB database that was open to external connections – without an admin account password – which is often the case. However, when he accessed the open server, Gevers discovered this ransomware attack was a little different than most.

Speaking to Infosecurity, he explained that the attacker created a local copy of the data, deleted the original database, and then created a database and a collection within, both named WARNING.

“I have seen indications of silent theft but never that a database was deleted,” he added. “Replaced with a new one called WARNING, with only one collection (table) with one record, all named warning with one single message that leads to one bitcoin address. Stealing data is very common and has been going on for years, but monetizing open databases [in this way] for ransom is a new development.”

Gevers argued that this is just the latest example of the security risks that surround unprotected, open databases, describing them as “disasters that are waiting to happen”, with many instances of large data leaks involving unprotected MongoDB databases.

“Our advice would be to protect this server with a firewall blocking port 27017 and limit the access of the service with bind_ip to only accept local connections as option in the configuration. Or you can choose to restart the database server with -auth option after you create users who can access the database.”

Also, Gevers urged users to check MongoDB accounts to see if somebody added a secret (admin) user, check the GridFS to see if someone stored any files there, and check the logfiles to see who accessed the MongoDB.

What’s hot on Infosecurity Magazine?