[BreachExchange] Hacker held open MongoDB databases for ransom

Wed Jan 4 18:29:58 EST 2017

http://securityaffairs.co/wordpress/55018/cyber-crime/mongodb-hacked.html

A mysterious hacker is breaking into unprotected MongoDB databases,
stealing their content, and asking for a ransom to return the data. Co-founder
of the GDI Foundation <http://www.gdi.foundation/> Victor Gevers is warning
of poor security for MongoDB installations in the wild. The security expert
has discovered 196 instances of MongoDB that were wiped by crooks and being
held for ransom.

A hacker who goes by online moniker Harak1r1 is demanding 0.2 BTC, roughly
$200 at the current exchange,  in order to restore the installation. The
crooks also request system administrators to demonstrate the ownership of
the installation through email.

It seems that the hacker is focusing on open MongoDB installations, likely
using a search engine like Shodan
<http://securityaffairs.co/wordpress/42897/hacking/mongodb-vulnerable-databases.html>
.

On December 27, Gevers discovered a MongoDB server that was left accessible
without authentication through the Internet.

*“Unlike other *instances* he discovered in the past, this one was
different. When he accessed the open server, instead of looking at the
database’s content, a collection of tables, Gevers found only one table,
named “WARNING”. ”  reads a blog post
<https://www.bleepingcomputer.com/news/security/mongodb-databases-held-up-for-ransom-by-mysterious-attacker/>
published on bleepingcomputer.com <http://bleepingcomputer.com>.*

The attacker accessed the open MongoDB database, exported its content, and
replaced all data with a table containing the following code:

*{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" :
"harak1r1 at sigaint.org <harak1r1 at sigaint.org>", "note" : "SEND 0.2 BTC TO
THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH
YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" } *

*“I was able to confirm [this] because the log files show clearly that the
date [at which] it was exported first and then the new database with *
tablename* WARNING was created,” Gevers told BleepingComputer. “Every
action in the database servers was being logged.”*

The expert notified victims their database were hacked:

*“Criminals often target open databases to deploy their activities like
data theft/ransom. But we also have seen cases were open servers like these
are used for hosting malware (like ransomware), botnets and for hiding
files in the GridFS,” he wrote in the notification letter sent to the
victims. *
[image: MongoDB]Querying Google <https://www.v2ex.com/t/331501> for the
hacker’s email address and Bitcoin address it is possible to verify that
many other users were victims of the same attacker.Gevers suggests to block
access to port 27017 or limit access to the server by binding local IPs in
order to protect the MongoDB installations. MongoDB admins could also
restart the database with the “–auth” option, after they’ve assigned users
access.

Below other tips useful for MongoDB admins:

   - Check the MongDB accounts to see if no one added a secret (admin) user.
   - Check the GridFS to see if someone stored any files there.
   - Check the logfiles to see who accessed the MongoDB (show log global
   command).

In December 2015, the popular expert and Shodan creator John Matherly found
over 650 terabytes of MongoDB data
<http://securityaffairs.co/wordpress/42897/hacking/mongodb-vulnerable-databases.html>
exposed on the Internet by vulnerable databases.
Other clamorous cases of open MongoDB exposed on the Internet were found by
the researcher Chris Vickery. In December 2015 the security expert Chris
Vickery discovered 191 million records
<http://securityaffairs.co/wordpress/43115/hacking/voters-database-leaked.html>
belonging
to US voters online, in April 2016 he also discovered a 132 GB MongoDB
database open online and containing 93.4 million Mexican voter records.In
March 2016, Chris Vickery has discovered online the database of the
Kinoptic iOS app, which was abandoned by developers, with details of over
198,000 users.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170104/e10eb6c1/attachment.html>