Hackers hold 23,000 MongoDB databases ransomed, threatening to leak data if no money is paid

Original title: "Hackers blackmail 23,000 MongoDB databases and leak data if you don't pay"

Original author: Wan Jia, InfoQ

According to foreign media ZDNet, 22,900 MongoDB databases exposed online were blackmailed by hackers. It is reported that the hacker used an automated script to scan misconfigured MongoDB databases, delete the contents of the database, and then leave a ransom note asking users to pay 0.015 Bitcoin (equivalent to $140).

The attacker gave the database owner two days to pay the ransom. If the ransom is not paid, the attacker has a "Plan B": threatening the victim to leak their data and contacting the victim's local GDPR regulator to report the data breach.

In this way, even if the victim does not pay the ransom, he or she will still face pressure from GDPR regulators.

It is understood that these 22,900 ransomed MongoDB databases account for 47% of all MongoDB databases exposed online.

The ransom note planted by the attackers was first discovered in April 2020. Victor Gevers, a cybersecurity researcher at the GDI Foundation who reports servers exposed online as part of his job to the company, said the initial attack did not include deleting data from the database.

The attackers continued to connect to the same database, leaving the ransom note, and returning again a few days later to leave another copy of the ransom note. Gevers said the attackers seemed to realize they had made a mistake in their script. Soon after, the attackers fixed their script and are now actually wiping the MongoDB database.

While some of those databases appeared to be test cases, Gevers said some production systems were also hit.

MongoDB Ransomware Incident

The hackers broke into the user's MongoDB database, deleted all the data, and then left a message demanding a ransom worth thousands of dollars in Bitcoin. This attack was called the "MongDB ransomware incident."

In fact, MongoDB ransomware incidents occurred several times a few years ago.

At the end of December 2016, MongoDB was blackmailed by hackers, and the incident reached its peak in January 2017. The attacker used the flawed configuration of MongoDB to launch the blackmail. The hacker group calling itself Harak1r1 exported the data in the public MongoDB database on the Internet and removed the data on the MongoDB server. At first, the data of 200 MongoDB database instances were illegally cleared. Within a few days, the number of infected MongoDB database instances had grown to more than 10,000. At first, the attacker asked the victim to pay 0.2 Bitcoin (then worth about 184 US dollars) as a data ransom. As more and more databases were infected, the attacker raised the ransom to 1 Bitcoin (worth about 906 US dollars). This incident is called the "MongoDB Apocalypse."

This campaign of attacks has led hackers to realize that they can make more money by wiping out MongoDB servers and leaving ransom notes behind to lure server owners desperate to get their files back.

In September 2017, the MongoDB database was once again attacked by hackers for ransom, and three hacker groups hijacked more than 26,000 servers. Compared with the "MongoDB Apocalypse", the number of attackers this time decreased, but the destructiveness (the number of victims) of each attack increased.

In 2017, Davi Ottenheimer, senior director of product security at MongoDB, condemned the behavior, noting that one of the reasons it happened was that database owners failed to set passwords for their databases and left their servers exposed online without firewalls.

Nearly 3 years later, little has changed.

At the beginning of 2017, there were 60,000 MongoDB servers exposed online, and now, there are 48,000 servers exposed online, and the key is that most of them do not have authentication enabled.

The reasons behind security issues

Why is MongoDB so vulnerable?

In this article, the author points out that the biggest security problem of MongoDB comes from the default configuration of MongoDB. In the default deployment, MongoDB can be logged in without identity verification. As long as criminals find the address and port of MongoDB on the Internet, they can directly access MongoDB through tools and have full permissions of MongoDB to perform any operations. The reason for this design is:

By default, MongoDB uses the simplest deployment method to maximize the running speed and is customized to run on virtual machines (low-configuration machines), without fully considering the security of MongoDB.
MongoDB official documentation, such as documents and guides for authentication, transmission encryption, and network configuration, are not standardized and can easily mislead MongoDB administrators.
Some MongoDB environments are built for a single project or test environment, and the builders do not care about MongoDB security issues.

Regarding the MongoDB ransomware incident, Tang Jianfa, the initiator of the MongoDB Chinese community and the chief architect of MongoDB Greater China, concluded in "No Technology is Perfect: A Complete Record of MongoDB's Ten Years of Development":

In order to facilitate programmers to quickly develop applications, MongoDB does not require a username and password to log in by default. As a result, many careless programmers, especially startups, often do not enable authentication when the system is officially launched. It is like buying a house but not using the door lock.

In my opinion, security is of vital importance to anyone who uses MongoDB. If you neglect it and MongoDB is exposed online, ransomware is a minor issue, but if your data is deleted, the loss is unlimited.

Original link: https://mp.weixin.qq.com