[BreachExchange] Unistellar attackers already wiped over 12, 000 MongoDB databases

[Destry Winant]

https://securityaffairs.co/wordpress/85766/hacking/unistellar-wiped-12000-mongodb.html

Every time hackers deleted a MongoDB database they left a message
asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and
request a ransom to restore data is common, experts observed several
campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a
specific ransom amount, instead, they provide an email contact to
start a negotiation.

Bleeping Computer first reported the attacks and cited the expert
Sanyam Jain as the person that discovered the deleted MongoDB
databases.

“this person might be charging money in cryptocurrency according to
the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped
by an attacker tracked as Unistellar, he searched the text
“hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a
smaller number, 7,656 databases, while doing the same search I found
8.133 compromised installs exposed online.
It is likely the attacker has automated its attacks chain due to the
lange number of MongoDB databases deleted by Unistellar.

Jain first discovered the attacks on April 24, the note left by the
Unistellar attacker reads “Restore ? Contact : unistellar at yandex.com

The attacker used two email addresses in these attacks,
unistellar at hotmail.com or unistellar at yandex.com.

According to Jain, Unistellar creates restore points to restore the
databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to
secure a MongoDB database”