<div dir="ltr"><a href="http://securityaffairs.co/wordpress/55018/cyber-crime/mongodb-hacked.html">http://securityaffairs.co/wordpress/55018/cyber-crime/mongodb-hacked.html</a><br><br><h2>A mysterious hacker is breaking into unprotected MongoDB databases,
stealing their content, and asking for a ransom to return the data.</h2>
<section class="gmail-deck gmail-viewability">Co-founder of the <a href="http://www.gdi.foundation/">GDI Foundation</a> Victor
Gevers is warning of poor security for MongoDB installations in the
wild. The security expert has discovered 196 instances of MongoDB that
were wiped by crooks and being held for ransom.
<p>A hacker who goes by online moniker Harak1r1 is demanding 0.2 BTC,
roughly $200 at the current exchange, in order to restore the
installation. The crooks also request system administrators to
demonstrate the ownership of the installation through email.</p>
<p>It seems that the hacker is focusing on open MongoDB installations, likely using a search engine like <a href="http://securityaffairs.co/wordpress/42897/hacking/mongodb-vulnerable-databases.html">Shodan</a>.</p>
<p>On December 27, Gevers discovered a MongoDB server that was left accessible without authentication through the Internet.</p>
<p><em>“Unlike other </em>instances<em> he discovered in the past, this
one was different. When he accessed the open server, instead of looking
at the database’s content, a collection of tables, Gevers found only one
table, named “WARNING”. ” reads a <a href="https://www.bleepingcomputer.com/news/security/mongodb-databases-held-up-for-ransom-by-mysterious-attacker/">blog post</a> published on <a href="http://bleepingcomputer.com">bleepingcomputer.com</a>.</em></p>
<p>The attacker accessed the open MongoDB database, exported its
content, and replaced all data with a table containing the following
code:</p>
<p><em><code class="gmail-language-sql">{ "_id" :
ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "<a href="mailto:harak1r1@sigaint.org">harak1r1@sigaint.org</a>",
"note" : "SEND 0.2 BTC TO THIS ADDRESS
13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP
OF YOUR SERVER TO RECOVER YOUR DATABASE !" }<br>
</code></em></p>
</section>
<p class="gmail-deck gmail-viewability"><em>“I was able to confirm [this] because
the log files show clearly that the date [at which] it was exported
first and then the new database with </em>tablename<em> WARNING was created,” Gevers told BleepingComputer. “Every action in the database servers was being logged.”</em></p>
<p>The expert notified victims their database were hacked:</p>
<p><em>“Criminals often target open databases to deploy their activities
like data theft/ransom. But we also have seen cases were open servers
like these are used for hosting malware (like ransomware), botnets and
for hiding files in the GridFS,” he wrote in the notification letter
sent to the victims. </em></p>
<section class="gmail-deck gmail-viewability"><img class="gmail-aligncenter gmail-wp-image-55021 gmail-size-full" src="https://i0.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2017/01/MongoDB-ransom.png?resize=646%2C332" alt="MongoDB" height="324" width="630"><a href="https://www.v2ex.com/t/331501">Querying Google</a>
for the hacker’s email address and Bitcoin address it is possible to
verify that many other users were victims of the same attacker.Gevers
suggests to block access to port 27017 or limit access to the server by
binding local IPs in order to protect the MongoDB installations. MongoDB
admins could also restart the <span class="gmail-vm-hook-outer gmail-vm-hook-default"><span class="gmail-vm-hook">database</span></span> with the “–auth” option, after they’ve assigned users access.
<p>Below other tips useful for MongoDB admins:</p>
<ul><li>Check the MongDB accounts to see if no one added a secret (admin) user.</li><li>Check the GridFS to see if someone stored any files there.</li><li>Check the logfiles to see who accessed the MongoDB (show log global command).</li></ul>
<p>In December 2015, the popular expert and Shodan creator John Matherly <a href="http://securityaffairs.co/wordpress/42897/hacking/mongodb-vulnerable-databases.html">found over 650 terabytes of MongoDB data</a> exposed on the Internet by vulnerable databases.</p>
</section>
<section class="gmail-deck gmail-viewability">Other clamorous cases of open MongoDB exposed on the Internet were found by the researcher Chris Vickery.</section>
In December 2015 the security expert Chris Vickery discovered <a href="http://securityaffairs.co/wordpress/43115/hacking/voters-database-leaked.html">191 million records</a> belonging
to US voters online, in April 2016 he also discovered a 132 GB MongoDB
database open online and containing 93.4 million Mexican voter
records.In March 2016, Chris Vickery has discovered online the database
of the Kinoptic iOS app, which was abandoned by developers, with details
of over 198,000 users.<br></div>