Threat Management, Malware, Ransomware

MongoDB databases under attack worldwide

Content on unprotected MongoDB databases around the world is being stolen and replaced in a new attack campaign, according to Bleeping Computer.

First reported by security researcher Victor Gevers, working with the just launched Project 366 with the GDI Foundation, the attacks – perpetrated by a hacker calling himself Harak1r1 – have been hitting servers since at least Dec. 27 and demanding payouts of 0.2 Bitcoin (about $220).

Gevers detected a ransom demand that replaced all data on an unprotected MongoDB database. In this instance, upon being informed of the incursion by Gevers, the victim firm was able to recover its data, which fortunately had just been backed up.

Other incidents in which Harak1r1's email and Bitcoin address were used have been detected around the world. Bleeping Computer surmised that as all related incidents occurred over the past week, a "mass-scan operation" was being perpetrated by the attacker.

But, although a demand for cash is instituted, Gevers said this is not a case of ransomware as the content on the database is replaced, rather than encrypted. He believed the hacker is using a simple Python script.

Gevers has long been searching for "runnable systems" and reporting them via a responsible disclosure to the firms involved.

He points a finger at legacy MongoDB instances deployed via cloud hosting services for enabling these types of attack. Default configurations leave the database open to external connections via the internet, he said.

"The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way," Gevers told Bleeping Computer. "About 78 percent of all these hosts were running known vulnerable versions."

While MongoDB updated its configurations months ago, many users continue to employ older versions. 

"Organizations can protect themselves against these types of attacks by enabling authentication on their databases, updating their software and disabling remote access," according to the Tripwire blog The State of Security. "They should also regularly check the log files to see if anyone has gained unauthorized access to their servers."

"This is, as far as I know, the first instance of data being stolen via a vulnerability and held in ransom fashion," Casey Ellis, CEO and founder, Bugcrowd, infomed SC Media on Thursday. "This is a logical, interesting and pretty scary pivot in the ransom strategy. There are tons of open, unauthenticated data stores on the internet."

Ellis says $200 is an "insanely small" amount of money to ask on the attackers part, leading him to believe it's the work of an amateur. "My guess is there either will be a) a second wave of attacks with a higher asking price; b) the current holder of the databases will be 'bought out' by a more sophisticated gang; or c) the current holder will up their price.

He also believes there's likely to be a rash of these types of attacks on other similar services over the next 30 days (e.g. MySQL, Amazon S3, etc).

"The crowd can find these things before the bad guys do," Ellis says. "This development connects a common issue (easily read/deleted data), an established business model (ransom), and a cashed-up owner (businesses, vs the traditional consumer target of ransomware). Finding these issues first has become very, very urgent."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.