[BreachExchange] No honor among thieves: Crooks seeking ransom for MongoDB data someone else stole

[Inga Goddijn]

http://www.networkworld.com/article/3156630/security/no-honor-among-thieves-crooks-seeking-ransom-for-mongodb-data-someone-else-stole.html

It took less than a week for criminals to drain virtually all publicly
exposed MongoDB servers
<http://www.networkworld.com/article/3155255/security/more-than-10000-exposed-mongodb-databases-deleted-by-ransomware-groups.html>
of their data, and now a second tier of opportunistic thieves is trying to
walk off with the ransom.

When attackers initially deleted the data, sometimes terabytes at a time,
they left ransom notes demanding payments in bitcoin.

In the meantime, other thieves have come along to these still-insecure
servers, deleted the initial ransom notes and left their own. And sometimes
after that, another thief came along and deleted that note and left yet
another.

“There’s a fluctuation and shift in which ransom note is being displayed on
the server at any given minute,” says Zach Wikholm, a research developer at
Flashpoint.

Not that it matters, he says. The likelihood that any victim of these
thefts will ever get their data back is miniscule. It’s relatively easy to
find the vulnerable servers, pull down the data and delete it, but to do
that and to store it would require time and enormous amounts of storage, he
says.

It’s highly unlikely the thieves made that kind of investment. Instead they
deleted the data and demanded payment to restore it. “There’s no hope for
those who were compromised,” he says.

It didn’t’ take a large group to commit these crimes. “Pulling this off is
within the ability of one person,” says Allison Nixon, Flashpoint’s
director of security research. “Now there are multiple bad actors for sure.
Opportunists is a good word.”

Niall Merrigan, a managing consultant at Capgemini, has been following this
closely and chronicling the thefts on his Twitter account
<https://twitter.com/nmerrigan>. He says more than 32,000 MongoDB servers
have been hit.

This threat to public-facing MongoDB databases has been publicized for
about a year, but only within the past week has anyone tried to cash in on
the exposure in a big way, Nixon says.

Security researchers discovered the fact that these databases were exposed
and unprotected and issued public warnings, but tens of thousands of admins
in 90 countries paid no heed. “People saw it as a thing but not a
particularly threatening thing,” Nixon says.

But then someone recognized the profit potential in the ransom scheme and
everything changed. “It turns from an academic argument to a worldwide
incident in literally days,” she says.

This situation is different from classic ransomware attacks in which
attackers encrypt data, then demand payment for turning over the keys to
decrypt. In this case, attackers removed the data from the servers
altogether, no encryption involved, and it’s unlikely the data was ever
saved anywhere, Wikholm says. It simply disappeared too fast for it to have
been downloaded, and returning it would require an upload that would take
days or in some cases weeks.

MongoDB was never designed to be publicly facing, so it has no built-in
authentication. It can be added, Wikholm says, but clearly an enormous
number of people chose not to. Judging from the volumes of data these
servers contained, many were likely used for business purposes and so
likely had admins who missed the chance to protect them and failed to heed
warnings.

The lesson to learn from this incident is to better evaluate security
warnings. Consider them from the criminal point of view and look for a way
someone might make money from exploiting them, Nixon says. When that
potential is there, act quickly because someone is surely going to do so
soon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170111/0efe04e4/attachment.html>