MongoDB Customers Held to Ransom Again

Written by

Security researchers are warning MongoDB admins to secure their installations after a fresh wave of attacks targeting tens of thousands of servers with ransom-like tactics.

Victor Gevers, chairman of security non-profit GDI Foundation, revealed on Twitter that one of the attackers – using the email address – had compromised 22,000 servers.

The attackers scan the internet for publicly accessible databases running with default settings, before deleting the data and replacing it with the following ransom note:

"We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC [$650] and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored.”

At the time of writing, ransom payments of over BTC 24 (£84,400; $110,100) had been received by the hackers, with victims numbering nearly 76,000, according to a Google Docs spreadsheet that Gevers and fellow researcher Dylan Katz are updating.

The attacks are reminiscent of a similar series of ransom raids on MongoDB installations at the turn of the year, although it appears that there are fewer attackers this time but more victims.

Back in January, MongoDB released a set of guidelines for users, claiming that by following the “extensive security protections built into MongoDB” they could stay safe from the hackers.

Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, urged users to change all default settings on their installations.   

“Additionally, users using MongoDB – regardless of where deployed – should perform regular health checks on their server’s services, ensuring all applications are patched and any superfluous services are shut off,” he added. “This will help prevent the kinds of ‘drive-by’ attacks we are seeing against these default MongoDB installs.”

Tony Rowan, chief security consultant at SentinelOne, argued that data stored in MongoDB will be the lifeblood of many organizations and so continues to represent an attractive target.

“The only thing that stops them becoming a viable target is the application of a truly effective risk management strategy that encompasses a layered approach to all aspects of security,” he explained.

“From vulnerability management, through active endpoint security and all the way through to the application of threat intelligence and effective tested fast response strategies. These are the approaches that make the difference between minor incidents and becoming front page news.”

What’s hot on Infosecurity Magazine?