News

Hackers Pile On As MongoDB Databases Are Hijacked for Ransom

• By David Ramel
• January 6, 2017

Thousands of open MongoDB databases have been attacked by hackers who hijack the stored data and demand ransom to return the contents.

The MongoDB ransom scheme was first reported by Victor Gevers, founder of security organization GDI Foundation, on Dec. 27.

A hacker going by the handle "Harak1r1" apparently started the attacks, stealing MongoDB content and leaving behind a ransom note reading:

"SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"

The requested ransom, 0.2 bitcoin, equals about $220.

According to an article published on BleepingComputer.com yesterday, two more groups of hackers piled on the scheme with their own copycat extortions. Their ransom notes read:

"YOUR DBS ARE ENCRYPTED. SEND 0.5 BTC (BITCOIN) ~= 550USD, TO THIS BTC ADDRESS: 15b7bS8tUg8NpzX2FRJQskEFjWRDg9gy6f AND CONTACT THIS EMAIL: [email protected] WITH THE IP OF YOUR LOCKED SERVER TO RECOVER YOUR DBS!"

and

"Your database has been pwned because it is publicly accessible at port 27017 with no authentication (wtf were you thinking?). Your data has been dumped (with data types preserved), and is easily restorable. To get your data back, email the supplied email after sending 0.15BTC to the supplied Bitcoin wallet, do this quickly as after 72 hours your data will be erased (if an email is not sent by then). We will get back to you within 2 days. All of your data will be restored to you upon payment via a email response.

And, less than two hours before this article was published, Gevers tweeted about another group hopping on the MongoDB extortion bandwagon, this one discovered by another person. In this latest attack, the requested ransom is 0.25 BTC. Gevers is documenting the attacks in this online spreadsheet. As of press time, there were eight entries.

MongoDB Inc. reportedly months ago fixed the original attack vector, caused by a default configuration, but older, unpatched databases remained vulnerable.

"The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a DevOps way," Gevers told BleepingComputer.com. "About 78 percent of all these hosts were running known vulnerable versions."

Database administrators are urged to protect their data by following MongoDB security guidelines. Zohar Alon, co-founder and CEO of cloud security firm Dome9, also provided some security advice to ADTMag.com.

"User errors coupled with weak security practices continue to jeopardize workloads running in cloud environments," Alon said. "In the public cloud, one strike is all it takes to bring a business to its knees. Security in a cloud environment has to be designed in layers, starting with policies that minimize the attack surface by eliminating unnecessary asset exposure."

Regarding those who have been attacked, Gevers told ThreatPost.com that database owners who pay the requested ransoms aren't guaranteed to get their money back, as the data is destroyed and not returned upon payment. Yesterday, he tweeted a similar message: "Please STOP paying the ransom. There is no evidence that they actual copied your database. Get a local expert to have your log files checked."

"Attacks have changed," Gevers told ThreatPost.com. "They are clearly cherry-picking targets with databases they think contain the most valuable assets."