According to credible intelligence from trusted sources, hackers attacked more than 25 percent of the MongoDB databases left open on the internet. The individuals, a security researcher from the GDI Foundation—Victor Gevers—and an independent developer from Norway, Niall Merrigan saw a recent spike in MongoDB database hacks. Hackers, during a single week, attacked enough vulnerable online databases to account for more than one-quarter of all online MongoDB databases.
MongoDB claimed the fourth spot on the list of most popular databases of similar type. Out of the 300 or more variants, the open-source MongoDB only fell behind household names: Oracle, MySQL, and Microsoft SQL Server. Gevers located 99,000 MongoDB servers open to the Internet. As of the writing of this post on January 11, roughly 27,000 of the public databases no longer held content. The newly wiped-databases displayed real warning messages, among other phrases: ‘WARNING,’ ‘PWNED,’ and ‘PLEASE_READ.’
In each instance, the hackers made claims and promises about the data. In one example provided by Gevers per his Twitter account, the hacker made an attempt at extortion. Problematically, no proof exists to back up the claim that the real, saved data, even exists. The hackers displayed messages that mostly consisted of a printed bitcoin address and some form of ransomware message. In the above example, the exact situation occurred.The hacker said, “message: Your DB is Backed up at our servers, to restore, send 1.0 BT C to the Bitcoin Address then send an email with your server IP.” And, of course, they added an address to send a confirmation to “email: [email protected]
The well-known KrebsOnSecurity explained that by default configuration, MongoDB lacks any realistic security. He said that the default configuration “allows anyone to browse the databases, download them, or even write over them and delete them.” Moreover, unfortunately for website admins or owners who fell victim to the exploitation of the vulnerability, the “write over them and delete them” bit, so far, appeared most commonly.
Other server administrators received not only a wipe of their complete database but also a threat. And not even a veiled one. “Notice: If you do not pay your database will be published online everyone will know your breach of security.” Gevers, the self-proclaimed ethical hacker, mentioned that someone or some group listed a MongoDB ransomware bot online—for sale of course—he pointed out that @rem1nd_ actually found the Pastebin listing.
The paste managed to stay online for a total of 48 views before an admin removed it. A backup copy can be found here, however.
The Register reached out to a spokesperson for MongoDB who told them that security broke down to two different dynamics, “well-made software and responsible use.” The representative continued, “for example, with MongoDB Atlas, our production-ready managed database as a service, access control is enabled by default. Users of MongoDB Cloud Manager or Ops Manager can enable alerts to detect if their deployment is internet exposed.”
a SHODAN search revealing open databases