Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

Posted by BeauHD on from the give-me-your-money-or-else dept.

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

11 of 115 comments (clear)

  1. lol by Anonymous Coward · · Score: 4, Insightful

    a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

    1. Re:lol by Mr+D+from+63 · · Score: 3, Funny

      a passwordless admin interface exposed to the internet?

      It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.

  2. Managed by morons by rossz · · Score: 3, Interesting

    Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

    --
    -- Will program for bandwidth
    1. Re:Managed by morons by anchovy_chekov · · Score: 3, Interesting

      Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

      This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.

      Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.

    2. Re:Managed by morons by tomhath · · Score: 4, Interesting

      I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

      If that's what actually happened, the Mongo project has some explaining to do

  3. Clearly... by QRDeNameland · · Score: 5, Funny

    MongoDB attacks are Web Scale.

    --
    Momentarily, the need for the construction of new light will no longer exist.
    1. Re:Clearly... by plopez · · Score: 3, Funny

      The lack of admin password is the secret sauce.

      --
      putting the 'B' in LGBTQ+
  4. Re:$200 by thegarbz · · Score: 3, Interesting

    Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.

  5. You are much more sure than SCO is by raymorris · · Score: 4, Informative

    > To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.

    Some of us pay attention to who is right and wrong, rather than deciding absolutely everything based on "big mean corporation."

    SCO originally filed for misappropriation of trade secrets and unfair competition. Later, they decided breach of contract might be better. Still later, they decided maybe copyright infringement. Obviously, SCO wasn't so sure exactly what they were complaining about - not nearly as sure as you are.

    They claimed that up to 0.0001% of the Linux kernel might have been derived from Unix, but refused to say which parts. As the judge began to strike down their claims unless they identified which code they were talking about, they pointed to some BSD licensed code written by Thompson - code they clearly had no copyright rights to.

    When it was pointed out that Novell, not SCO, owned the Unix copyright, SCO tried to buy the copyrights from Novell. Again, Novell clearly wasn't too sure they owned the copyrights, they were trying to buy them from Novell, yet you're sure that they already owned them.

    SCO then claimed that the GPL itself is illegal and unconstitutional! Which would of course mean that SCO were themselves unlawfully distributing GPL code! Yeah that annoyed some people.

    SCO didn't just lose a case, they were laughed out of court repeatedly. "We're suing you for violating the copyright on Unix, but we're still trying to buy that copyright so can we have a short delay?" What!?!? It was one of the most ridiculous cases ever. That's why people didn't root for SCO, it was because SCO was engaging in ridiculous trolling that made no sense. They argued that the "offending code" was part of the Linux kernel, then argued that it wasn't. They couldn't even make up their mind.

  6. Re:Nuke, upgrade, and restore from backups by supremebob · · Score: 4, Insightful

    You think that someone who didn't bother setting an admin password for an Internet facing database bothered to configure backups for it?

  7. Re:Nuke, upgrade, and restore from backups by plopez · · Score: 4, Interesting

    they backed up to /dev/null because it was web scale.

    --
    putting the 'B' in LGBTQ+