Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Exposed MongoDB installs being erased, held for ransom

Steve Ragan | Jan. 4, 2017
Administrators should check their MongoDB deployments before they’re wiped clean

Security researcher Victor Gevers, co-founder of the GDI Foundation, a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom.

Currently, as of Monday morning, Gevers says he’s discovered 196 instances of a MongoDB installation exposed to the public that's been erased and held for ransom. UPDATE: The count has reached nearly 2,000 databases as of 4:00 p.m.

The person behind the attacks is demanding 0.2 BTC ($202.89 USD) as payment, and requiring system administrators email proof of ownership before the files are restored. Those without backups are left in a bind.

Gevers has sent dozens of notifications to affected victims and on Twitter has responded to at least two requests for assistance after administrators learned of the issue.

In each observed attack, the message remains the same – pay up or lose your data. It’s possible the attacker is finding open MongoDB installs via basic scanning or Shodan, Gevers said. It’s also possible they’re finding MongoDB installs that are vulnerable to various exploits, including one that allows remote authenticated users to obtain internal system privileges.

MongoDB install held for ransom  

If so, then administrators are caught in the middle of a rat race between Gevers and “Harak1r1” - the person responsible for the attacks. Asked for his thoughts and advice, Gevers shared the notification letter he is sending to identified victims.

In it, he advises that they protect the MongoDB installs by blocking access to port 27017 or limit access to the server by binding local IPs. Administrators can also chose to restart the database with the "–auth" option, after they’ve assigned users access.

In addition, he offers the following tips:

  1. Check the MongDB accounts to see if no one added a secret (admin) user.

  2. Check the GridFS to see if someone stored any files there.

  3. Check the logfiles to see who accessed the MongoDB (show log global command).

“Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” the notification letter explains.

In late 2015, there were approximately 35,000 MongoDB installations on the internet. Most of these installations were insecure and publicly available, and combined stored nearly 700 TB of data.

Configuration errors in MongoDB have led to a number of major data breaches, including the Hello Kitty data breach that exposed 3.3 million people.


1  2  Next Page 

Sign up for Computerworld eNewsletters.