A hacker is attempting to monetize on MongoDB databases exposed to the Internet by hijacking them and demanding a ransom for the data, security researcher Victor Gevers has discovered.
Going by the online handle of Harak1r1, the hacker searchers for insecure, exposed MongoDB databases and then attempts to compromise them. After accessing these databases, the attacker steals their content and denies access to it by replacing the databases with one called WARNING, containing one table with one record, both called WARNING too.
Victims are instructed to send 0.2 Bitcoins (BTC) to a specific Bitcoins address to recover their data. As it turns out, over a dozen companies have already paid the ransom.
“Send 0.2 BTC to this address 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq and contact this email [email@example.com] with your IP of your server to recover your database!” the warning reads.
According to Victor Gevers, co-founder of GDI Foundation, a non-profit organization, the attackers might be using an automation tool, but they probably manually select the databases to target. Basically, the hackers appear interested only in those databases that contain important data, because the affected companies are more likely to pay the ransom to regain access to them.
“They use some sort of automation tool, but they also do some of the work manually. If they used a fully automated tool, we might have seen all exposed MongoDB databases being hijacked in one swift move,” Gevers told SecurityWeek.
The hijacking campaign is ongoing, with the number of attacked MongoDB databases growing fast, Gevers told us. It all started with what appeared to be an isolated incident just before Christmas, but the attack had already hit hundreds of databases several days later, and the researcher decided to post information about it online.
Yesterday, the number of compromised databases was of around 2000, but it has since grown to over 3500, the security researcher said. What’s more, Gevers discovered that companies are actually paying the ransom in an attempt to retrieve their data.
Information available on Blockchain.info shows that the Bitcoin address used by the attacker has been constantly receiving payments for the past two weeks, and that the attackers are moving the money to other destinations. A total of 14 different payments were made to the address between December 21, 2016, and January 3, 2017.
“Searching for the compromised databases on Shodan this morning revealed that the number has grown significantly since yesterday. This is clearly a real-live attack happening right now, and companies are paying to retrieve their data” Gevers said.
Apparently, the attackers don’t care which countries the affected entites are from. Soon after the news broke, companies from the United States, United Kingdom, China, Finland, and other countries have confirmed such incidents, the researcher says. These organizations are from a variety of industries, including healthcare, Gevers also reveals.
The researcher points out that this incident once again proves that MongoDB databases exposed to the Internet represent a major vulnerability for companies. Such databases, he explains, have long been abused for malicious purposes, even vandalism.
“However, this is the first time we encounter a situation where an exposed database is held for ransom,” Gevers continued.
To put things into perspective, there are over 30,000 MongoDB installations on the web, most believed to be insecure and publicly available. Gevers, who has been searching for insecure databases for years, has sent thousands of responsible disclosure emails to the affected companies, but never before warned about their databases being used for extortion.
The exposed databases allow unauthenticated connections via port 27017, meaning that anyone can access them with full admin rights, thus being able to create, read, update and delete records. Usually, Gevers warns companies that insecure databases can be used to host malware or botnets, or for hiding files in the GridFS. Now, he also warns them that databases could be held for ransom.
“Our advice would be to protect this server with a firewall blocking port 27017 or limit the access of the service with bind_ip to only accept local connections as option in the configuration. Or you can choose to restart the database server with -auth option after you create users who can access the database,” Gerves tells affected companies.