An attacker is obtaining access to unprotected MongoDB databases, stealing and erasing their content, and holding them for ransom.
On 27 December, security researcher Victor Gevers came across a MongoDB server that was open to external connections and that lacked a password on its admin account.
This database didn’t contain a lot of information. In fact, it only contained one table named “WARNING” with the following text:
"_id" : ObjectId("5859a0370b8e49f123fcc7da"),
"mail" : "email@example.com",
"note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
Taking a closer look, Gevers determined that someone named Harak1r1 had gained access to the database, stolen and erased its tables, replaced its content with the warning message, and demanded 0.2 Bitcoin in ransom. As he told Bleeping Computer:
“I was able to confirm [this] because the log files show clearly that the date [at which] it was exported first and then the new database with tablename WARNING was created. Every action in the database servers was being logged.”
Open MongoDB = Money 4 bad ppl.
SEND 0.2 BTC TO THIS ADDRESS AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE ! pic.twitter.com/gS4TxS7S09
— Victor Gevers (@0xDUDE) December 27, 2016
Gevers notified the affected company, which recovered their data using a backup.
Since then, reports of at least two similar incidents (here and here) have emerged on the web. Both attacks are believed to be part of a campaign by which Harak1r1 scans for vulnerable MongoDB versions and holds the databases for ransom.
As of this writing, a Bitcoin address associated with the attacker has logged 16 transactions. That number is likely to increase in the coming days and weeks. Indeed, Shodan founder John Matherly has observed more than 1,800 databases affected by these ransom-based attacks.
@SteveD3 nearly 2,000 instances affected w/ MongoDB ransomware now: pic.twitter.com/E154ZlLUmI
— John Matherly (@achillean) January 3, 2017
Given this ongoing campaign, it’s important that organizations recognize the dangers associated with unprotected MongoDB databases. Gevers weighs in on this topic:
“The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way. About 78% of all these hosts were running known vulnerable versions.”
In the past, unprotected MongoDB instances have led to data breaches at dating services and data storage firms. It appears attackers like Harak1r1 are now leveraging them for extortion.
Organizations can protect themselves against these types of attacks by enabling authentication on their databases, updating their software, and disabling remote access. They should also regularly check the log files to see if anyone has gained unauthorized access to their servers.
To learn more about how Tripwire can help with log management, click here.