[BreachExchange] Attackers ransom bookseller’s exposed MongoDB database

Destry Winant destry at riskbasedsecurity.com
Thu Aug 8 09:55:28 EDT 2019


Exposed MongoDB databases have become the easy money-maker ransomware
criminals are busy filling their boots with.

In mid-July 2019, another database fell to the extortion hackers, this
time containing 2.1 million records belonging to well-known Mexican
publisher and bookseller, Librería Porrúa.

It’s not certain how many individual customers were affected, but
purchase information included details of 1.2 million names, email
addresses, shipping addresses and phone numbers, plus site information
such as invoices and purchases, shopping cart IDs, activation codes
and tokens, and hashed card details.

There were also 958,000 personal records revealing most of the above
data fields plus dates of birth.

We know all this because this exposed MongoDB instance was discovered
by security researcher Bob Diachenko on 15 July 2019, the day after it
was first indexed by the Shodan search engine.

He explains how he immediately contacted the company with the bad
news. Unfortunately, by 18 July, criminals had spotted and “wiped” the
database, leaving a demand for 0.05 Bitcoins (around $500) to return

The next day, access to the now empty database was disabled by
someone, presumably in response to the attack. As of 1 August, nobody
from Librería Porrúa had contacted Diachenko regarding his discovery.

As with previous incidents involving exposed databases, the MongoDB
instance was accessible by anyone without the need for authentication,
with the added bonus that it could be reached using two different IP

As Diachenko points out, by the time criminals access a database of
this kind, paying the ransom is beside the point – even if the
attackers hand back the data, it might still have been copied and
exposed elsewhere.

Public access mode

As previously discussed on Naked Security, one of the risks with
MongoDB is that’s its easy to mess up either by using an older version
lacking remote access authentication, or a newer instance that has
been poorly secured. Diachenko notes:

The public configuration makes it possible for cybercriminals to
manage the whole system with full administrative privileges. Once the
malware is in place, criminals could remotely access the server
resources and even launch a code execution to steal or completely
destroy any saved data the server contains.

It’s the recurring weakness that contributed to a huge campaign that
compromised up to 27,000 thousand MongoDB installations in 2017.

In 2018, in another severe incident, a database of 445 million records
held by disaster recovery company Veeam was found in an exposed state
by Diachenko.

In May this year, Diachenko discovered yet another MongoDB database
containing the records of 275 million people in India.

More information about the BreachExchange mailing list