About 26,000 MongoDB databases were wiped by hackers over the weekend, with the hackers requesting $650 to restore them. This is not the first time that the databases were compromised – this year, even. It’s also important to note that large companies, including start-ups, use MongoDB for storage – and that this is the second large attack this year. MongoDB has used its open source development model since 2009 and is a document-oriented database. They offer commercial support as well as other services.
The hackers used the same general message for every victim, requesting .15 Bitcoin, or $650, as ransom, from each victim. Only a few clients have actually paid.
Since the wave of attacks first started in December, victims have paid over 24 Bitcoins to over twelve different groups of hackers – amounting to many thousands of dollars extracted from helpless victims. In this recent attack, however, only .8 Bitcoin was paid out to one particular group – indicating that more victims are refusing to make the “ransom” payment.
This latest wave marks a revival of the large-scale attack on unsecured areas of the open-source NoSQL database – which were discovered first by security researchers Victor Gevers and Niall Merrigan.
— Victor Gevers (@0xDUDE) September 2, 2017
Gevers explains that these attackers scan the internet for certain ports – and attempt to access these ports with scripts that automatically delete databases, but create similar databases that contain the ransom note. He states that the databases that get attacked were running with default settings, and therefore were completely exposed.
One particular group called Kraken has sold its ransomware kit to other hackers, prompting more attacks. Kraken received 11 Bitcoins from their attacks in January and have helped the ransomware kit proliferate to other networks so that more groups could attack victims – which helps explain why there have been attacks by a dozen different hacker groups.
MongoDB users have apparently all but ignored a list of precautions that were posted after previous attacks – and are now paying the price for their lack of awareness. The precautions were posted after the attacks in January 2017.
According to Gevers, there are about 20,000 MongoDB unsecured accounts and he estimates that all but one percent have been ransacked – therefore, the vast majority of unsecured accounts have been completely compromised.
Gevers runs the GDI foundation, a security non-profit from the Netherlands, and has helped 100 victims – in one case, retrieving vital research information from studies from a leukemia patient. However, he admits that this is a small fraction of the 75,000 cyber security victims in total. He has helped victims in certain cases by being able to log into servers remotely, and in some cases, restoring the lost information.
He also was unsure whether the attacks were successful because of botched settings or old default settings of MongoDB.
Over 25% of the MongoDB accounts have been compromised by online extortionists. Also, in what could be related news; hundreds of Elasticsearch servers have also been wiped in the past few hours.