MongoDB is a famous, open-source NoSQL database. Organizations use them regardless of their size; from MetLife, LinkedIn, City of Chicago, Expedia, BuzzFeed to KMPG and The Guardian there are several other high-profile platforms that are currently taking advantage of MongoDB.
At the same time, having a high-profile customer doesn’t mean that platform is completely secure. That’s why in 2016, in two different incidents, hackers leaked more than 36 million and 58 million accounts respectively from unsecured MongoDB.
Now, unsecured MongoDB databases are being hijacked by a hacker, who is not only wiping out these databases but also storing copies of them and asking for a ransom of 0.2 bitcoins (roughly US$ 211) from admins in exchange of the lost data. Those admins who haven’t created backups of these databases are seriously helpless because the rate of Bitcoin is also increasing and the latest rate is 1 Bitcoin = USD1063.93.
The hacking campaign was discovered by security researcher Victor Gevers, co-founder of GDI Foundation, a non-profit organization. Gevers notified owners about the presence of vulnerable, non-password-protected MongoDB databases and also informed that around 200 of these installations have been wiped out by the hacker.
Gevers believes that the hacker(s) might be utilizing an automation tool but they manually select their target databases. Hacker seems to be interested in databases that contain important information/data or he chooses companies that are most likely in a position to pay the ransom to get their data back.
In a conversation with SecurityWeek, Gevers said that “They use some sort of automation tool, but they also do some of the work manually. If they used a fully automated tool, we might have seen all exposed MongoDB databases being hijacked in one swift move.”
But that was old news; as per recent tweet by Shodan founder John Matherly, approx. 2,000 databases have been erased. It must be noted that Shodan is the platform where a majority of MongoDB instances can be located. As of now, 16 admins/organizations have already paid the ransom to obtain the lost data.
The attacks on MongoDB databases have been going on for more than a week and servers from across the globe have been targeted. Researchers believe that the attacker, who uses the alias “harak1r1” does not encrypt the stolen data but runs a script, which replaces the database content with the ransom note.
Gevers attempted to access one of the open servers and identified that instead of the database content there was just one table available for viewing, which was titled WARNING. This table read:
“SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE!”
“Our advice would be to protect this server with a firewall blocking port 27017 and limit the access of the service with bind_ip to only accept local connections as option in the configuration. Or you can choose to restart the database server with -auth option after you create users who can access the database,” according to Gevers.
To see if you are also a victim or not simply check the MongoDB accounts and note if there is any new secret (admin) user; then check the GridFS for any newly stored files and finally inspect the log files in case some unauthorized user has tried to access MongoDB instances.
If you want to prevent yourself from being the victim of hacking, you need to enable authentication, which should provide you “Defense in depth,” in situations when the network gets attacked. To do this, you need to edit the MongoDB configuration file “auth-true.”
Moreover, you need to enable firewalls and disable remote access to MongoDB databases if you can. For admins, it is recommended to block access to port no. 27017, which can be done by using firewalls. You also need to configure Bind_ip, which will bind local IP addresses and limit the server’s access. You must not forget to upgrade the software and install latest patches and updates.