The hacker controlled 250GB worth of the NewsBlur database and ransomed it before deleting it.
NewsBlur is a US-based software company that runs an online RSS newsreader service. NewsBlur suffered a service outage after a hacker wiped its database.
Reportedly, the hacker (or script kiddie, as NewsBlur’s founder called it) gained access to its database when the RSS reader was transitioning to Docker.
This process circumvented some firewall rules and exposed the service’s MongoDB database to the public. During the transitioning process, the original primary MongoDB cluster was shut down, so it remained untouched when the attack happened.
According to NewsBlur founder Samuel Clay, the hacker acted fast and copied the entire database before deleting the original one. The entire process took them just three hours.
“When I switched to a new MongoDB server, a hacker deleted all of NewsBlur’s mongo data and is now holding NewsBlur’s data hostage. I’m dipping into a backup from a few hours ago and will keep you all updated,” read the founder’s message on the personal newsreader service’s main page.
Clay further stated that the hacker controlled 250GB worth of the database and ransomed it before deleting it.
After our story was published, the renowned security researcher Bob Diachenko tweeted that:
— Bob Diachenko (@MayhemDayOne) June 28, 2021
NewsBlur is Back Online
Soon after detecting the attack, Clay took a snapshot of the primary database to restore NewsBlur services and could bring it back online around ten hours later. The company kept its users informed about the site’s status via Twitter in a series of updates that read:
“Snapshotting is done, backup has been verified (woohoo!), and now the MongoDB cluster is syncing. Should be about an hour from now and all will be well.”
“And we’re back up! It will take another couple hours until feed fetching can be restarted but all stories up until 6 hours ago should be there, ready for reading.”
UFW Firewall Modification Responsible for Data Hack?
Samuel Clay stated that Docker made a change in the UFW firewall, which is responsible for allowing unauthorized access to its database.
“When I containerized MongoDB, Docker helpfully inserted an allow rule into iptables, opening up MongoDB to the world. So while my firewall was ‘active’, […] MongoDB was open to the world,” Clay said.