[BreachExchange] MongoDB databases still being held for ransom, two years after attacks started

Destry Winant destry at riskbasedsecurity.com
Tue Feb 12 09:06:07 EST 2019


https://www.zdnet.com/article/mongodb-databases-still-being-held-for-ransom-two-years-after-attacks-started/

Two years after hacker groups began ransacking MongoDB databases and
requesting ransom payments, the practice is still very much alive,
ZDNet has learned this week.

While the original hacker groups who started this trend have stopped
after a few months, new ones have constantly joined in on the attacks
over the past few years, only to discover that the practice isn't as
lucrative as they might have hoped, and later, dropping out after
failing to make any profits.

This trend of ransom attacks targeting MongoDB servers first began in
December 2016, when hackers realized they could extort payments from
companies that had left their MongoDB databases exposed on the
internet.

At the time, there were roughly 60,000 MongoDB databases left exposed
online, so attackers had plenty of targets to choose from.

During the first wave of attacks, hackers downloaded data to their
systems, deleted the data on the company's server, and left a note
behind asking for a ransom in exchange for the data.

Hackers quickly realized that there was far too much data to save
locally, and within weeks began deleting data from servers outright,
but still leaving ransom notes, hoping to trick a victim into paying a
ransom fee for data the hackers never had.

The first hacker group (or lone hacker, still unknown) who engaged in
this practice went by the name of Harak1r1, but many others joined the
attacks, which hit their peak in the first half of 2017.

The attacks became known as the MongoDB Apocalypse, with hackers
ransacking over 28,000 servers in just two months at the start of
2017.

Hackers also diversified, and from MongoDB, they expanded to target
other exposed systems, such as ElasticSearch, Hadoop, CouchDB,
Cassandra, and MySQL servers.

Dutch security researcher Victor Gevers has been one of the security
researchers who tracked the MongoDB ransom attacks since the get-go.
For the past two years, he's continued to track these hacker groups
and their attacks in a Google Docs file he set up back in early 2017.

In an interview earlier this week, Gevers told ZDNet that the attacks
were still ongoing. Only over the course of last month, Gevers says he
spotted three new hacker groups.

These three new players managed to ransack nearly 3,000 MongoDB
databases, operating based on the same technique as the initial
attacks --connecting to databases left without a password, deleting
data, and leaving a ransom note behind.

Gevers told ZDNet that these groups are "more clumsy" than past
hackers. "Most of the time they forget to delete the database," Gevers
said. Maybe that why two of them didn't make any money from their
ransom demands, while the third barely gathered $200 in its respective
Bitcoin address.

"It's clear someone sold a toolkit as each attack looks like the same
as others," Gevers said. "Only the email, Bitcoin address, and ransom
note differ."

Back in 2017, Davi Ottenheimer, Senior Director of Product Security at
MongoDB, Inc., blamed the attacks --and rightfully so-- on database
owners who failed to set a password for their admin accounts.

Things don't seem to have changed much since then. Gevers says these
recent attacks have hit all versions of MongoDB, even the new ones,
meaning the problems with users failing to set up an admin password
have continued.

"I do see that owners are creating more MongoDB users (as they should)
but locking down it entirely is still challenging for a few," Gevers
said.

The MongoDB guide from 2017 on security databases from ransom attacks
is still the first place to go for server owners looking to improve
their security posture.


More information about the BreachExchange mailing list