Multiple Attackers Hijacking MongoDB Databases for Ransom
January 9, 2017
Seid Yassin (557 articles)
Share

Multiple Attackers Hijacking MongoDB Databases for Ransom

Late last year, researcher Victor Gevers discovered a hijacked database that had its content stolen and replaced with one that informed owners they should pay a ransom to regain access to the content. While thought at first to be an isolated incident, the attack proved to be widespread, with thousands of databases hit within two weeks or so.

The number of hijacked MongoDB databases appears to have been growing fast over the past couple of days, and has surpassed 10,000 as of this morning, Niall Merrigan reveals. The worrying part is that there are now three hackers or groups of hackers targeting those databases.

What this attack consists of is simple: the hijackers search for MongoDB databases exposed to the Internet, access them, then steal their content and replace the database with one called WARNING. In many cases, owners are instructed to pay a 0.2 Bitcoin ransom to regain access to their content.

A quick look at information related to the Bitcoin address victims are told to make the payment to reveals that at least 17 companies already paid the ransom (although the number of received payments is larger). At least 8,600 insecure databases are believed to have been already compromised by the hacker.

Most recently, the attackers changed the email address included in the ransom note, as well as the Bitcoin address used in their attacks. Security researchers managed to track at least four such addresses associated with this group of hackers.

According to MacKeeper, one of the hijacked databases belonged to Emory Healthcare, and over 200,000 data records might have been compromised in the process. MacKeeper says it discovered the misconfigured database on Dec. 30, 2016, and found it hijacked on Jan. 3, 2017, when the team went back to review the data.

Over the past few days, however, more hackers joined the operation. One of the groups is replacing the targeted databases with one called WARNING_ALERT, while another is replacing them with one called PWNED (with a variation that provides victims with only 72 hours to pay the ransom). The former is demanding a 0.5 Bitcoin ransom and already hit over 930 databases, while the latter demand 0.15 Bitcoin and compromised over 750 databases.

This morning, the researchers noticed a fourth group hijacking the databases, this time asking for a larger ransom: 1 Bitcoin. The group is replacing the databases with one called PLEASE_READ, and it is believed to have hit at least 13 of them so far.

According to Victor Gevers, companies should not pay the ransom, as this won’t guarantee the safe recovery of their data. In fact, he advises against paying, saying that some of the databases are being deleted, and that the crooks behind the attack can’t return the data even if the victim pays up.

“From numerous sources (log files) and reports by owners we can say that most of the attackers do not copy the data but make 3 times a connection with a duration between 5ms and 500ms which is enough to: 1. create new database; 2. write the note; 3. drop a database in this specific order. In a few cases where the owner could check outbound traffic between these times, there is no evidence of any data exfil. This means we can confirm that this actor does not have any data, so paying ransom is a bad idea,” Gevers told SecurityWeek.

What’s more, Gevers warns, is that some of the databases are overwritten multiple times, most likely because attackers are overlapping in their attacks and the same databases are being hit more than once.

With tens of thousands of insecure MongoDB databases exposed to the Internet, it appears to be only a matter of time before the attack escalates further. For the time being, the hackers appear focused on compromising only those databases that might bring them a profit, but Gevers says that more and more victims are contacting him for help.

In a blog post on Friday, MongoDB’s Andreas Nilsson shared details on security best practices and steps that can be taken to secure MongoDB instances against attacks.

“We take security very seriously, and urge users to take adequate steps to secure their data,” Ian Bruce, VP Corporate Marketing and Communications at MondoDB, told SecurityWeek.

Source | securityweek