Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

Posted by BeauHD on Wednesday January 4, 2017 @10:50AM from the give-me-your-money-or-else dept.

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

5 of 115 comments (clear)

Min score:

Reason:

Sort:

Managed by morons by rossz · 2017-01-04 10:55 · Score: 3, Interesting

Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

--
-- Will program for bandwidth
1. Re:Managed by morons by anchovy_chekov · 2017-01-04 11:17 · Score: 3, Interesting
  
  Your database is exposed to the internet and doesn't have a password? How is it you are still employed?
  This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.
  
  Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.
2. Re:Managed by morons by tomhath · 2017-01-04 11:36 · Score: 4, Interesting
  
  I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
  If that's what actually happened, the Mongo project has some explaining to do
Re:$200 by thegarbz · 2017-01-04 11:16 · Score: 3, Interesting

Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.
Re:Nuke, upgrade, and restore from backups by plopez · 2017-01-04 12:24 · Score: 4, Interesting

they backed up to /dev/null because it was web scale.

--
putting the 'B' in LGBTQ+