• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 5th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

MongoDB Databases being Targeted by Cyber-criminals for Ransom

January 5th, 2017 Owais Sultan Security 0 comments
MongoDB Databases being Targeted by Cyber-criminals for Ransom
Share on FacebookShare on Twitter

MongoDB is a famous, open-source NoSQL database. Organizations use them regardless of their size; from MetLife, LinkedIn, City of Chicago, Expedia, BuzzFeed to KMPG and The Guardian there are several other high-profile platforms that are currently taking advantage of MongoDB.

At the same time, having a high-profile customer doesn’t mean that platform is completely secure. That’s why in 2016, in two different incidents, hackers leaked more than 36 million and 58 million accounts respectively from unsecured MongoDB.

More: LG Smart TV Screen Bricked After Android Ransomware Infection

Now, unsecured MongoDB databases are being hijacked by a hacker, who is not only wiping out these databases but also storing copies of them and asking for a ransom of 0.2 bitcoins (roughly US$ 211) from admins in exchange of the lost data. Those admins who haven’t created backups of these databases are seriously helpless because the rate of Bitcoin is also increasing and the latest rate is 1 Bitcoin = USD1063.93.

The hacking campaign was discovered by security researcher Victor Gevers, co-founder of GDI Foundation, a non-profit organization. Gevers notified owners about the presence of vulnerable, non-password-protected MongoDB databases and also informed that around 200 of these installations have been wiped out by the hacker.

Screenshot shared by Victor Gevers on his Twitter handle showing a hacked MongoDB.

Gevers believes that the hacker(s) might be utilizing an automation tool but they manually select their target databases. Hacker seems to be interested in databases that contain important information/data or he chooses companies that are most likely in a position to pay the ransom to get their data back.

In a conversation with SecurityWeek, Gevers said that “They use some sort of automation tool, but they also do some of the work manually. If they used a fully automated tool, we might have seen all exposed MongoDB databases being hijacked in one swift move.”

But that was old news; as per recent tweet by Shodan founder John Matherly, approx. 2,000 databases have been erased. It must be noted that Shodan is the platform where a majority of MongoDB instances can be located. As of now, 16 admins/organizations have already paid the ransom to obtain the lost data.

The attacks on MongoDB databases have been going on for more than a week and servers from across the globe have been targeted. Researchers believe that the attacker, who uses the alias “harak1r1” does not encrypt the stolen data but runs a script, which replaces the database content with the ransom note.

Gevers attempted to access one of the open servers and identified that instead of the database content there was just one table available for viewing, which was titled WARNING. This table read:

“SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE!”

“Our advice would be to protect this server with a firewall blocking port 27017 and limit the access of the service with bind_ip to only accept local connections as option in the configuration. Or you can choose to restart the database server with -auth option after you create users who can access the database,” according to Gevers.

To see if you are also a victim or not simply check the MongoDB accounts and note if there is any new secret (admin) user; then check the GridFS for any newly stored files and finally inspect the log files in case some unauthorized user has tried to access MongoDB instances.

If you want to prevent yourself from being the victim of hacking, you need to enable authentication, which should provide you “Defense in depth,” in situations when the network gets attacked. To do this, you need to edit the MongoDB configuration file “auth-true.”

[fullsquaread][/fullsquaread]

More: San Francisco Railway’ Fare System Hacked for 100 Bitcoin Ransom

Moreover, you need to enable firewalls and disable remote access to MongoDB databases if you can. For admins, it is recommended to block access to port no. 27017, which can be done by using firewalls. You also need to configure Bind_ip, which will bind local IP addresses and limit the server’s access. You must not forget to upgrade the software and install latest patches and updates.

[src src=”Source” url=”https://twitter.com/0xdude/status/813865069218037760″]Twitter/Victor Gevers[/src]

[src src=”Security List” url=”https://docs.mongodb.com/manual/administration/security-checklist/”]MongoDB Docs[/src]

  • Tags
  • Bitcoin
  • Cyber Crime
  • hacking
  • internet
  • MongoDB
  • Privacy
  • Ransome
  • Ransomware
  • security
Facebook Twitter LinkedIn Pinterest
Previous article French Businessman Spared Jail Time for Involvement in Child Porn Scheme
Next article Netgear launches Bug Bounty program; offering lucrative rewards
Owais Sultan

Owais Sultan

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Related Posts
IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Marketing firm CallX exposed customers data including call recordings

Marketing firm CallX exposed customers data including call recordings

Flaw allowed bypassing verification code, log in to any Microsoft account

Flaw allowed bypassing verification code, log in to any Microsoft account

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Top Russian hacker forums Maza, Verified hacked; data leaked online
Hacking News

Top Russian hacker forums Maza, Verified hacked; data leaked online

IT Security firm Qualys extorted by Clop gang after data breach
Cyber Crime

IT Security firm Qualys extorted by Clop gang after data breach

Marketing firm CallX exposed customers data including call recordings
Leaks

Marketing firm CallX exposed customers data including call recordings

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us