A mysterious hacker is breaking into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.

Co-founder of the GDI Foundation Victor Gevers is warning of poor security for MongoDB installations in the wild. The security expert has discovered 196 instances of MongoDB that were wiped by crooks and being held for ransom.

A hacker who goes by online moniker Harak1r1 is demanding 0.2 BTC, roughly $200 at the current exchange,  in order to restore the installation. The crooks also request system administrators to demonstrate the ownership of the installation through email.

It seems that the hacker is focusing on open MongoDB installations, likely using a search engine like Shodan.

On December 27, Gevers discovered a MongoDB server that was left accessible without authentication through the Internet.

“Unlike other instances he discovered in the past, this one was different. When he accessed the open server, instead of looking at the database’s content, a collection of tables, Gevers found only one table, named “WARNING”. ”  reads a blog post published on bleepingcomputer.com.

The attacker accessed the open MongoDB database, exported its content, and replaced all data with a table containing the following code:

{ “_id” : ObjectId(“5859a0370b8e49f123fcc7da”), “mail” : “harak1r1@sigaint.org“, “note” : “SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !” }

“I was able to confirm [this] because the log files show clearly that the date [at which] it was exported first and then the new database with tablename WARNING was created,” Gevers told BleepingComputer. “Every action in the database servers was being logged.”

The expert notified victims their database were hacked:

“Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” he wrote in the notification letter sent to the victims. 

mongodb

Querying Google for the hacker’s email address and Bitcoin address it is possible to verify that many other users were victims of the same attacker.

Gevers suggests to block access to port 27017 or limit access to the server by binding local IPs in order to protect the MongoDB installations. MongoDB admins could also restart the database with the “–auth” option, after they’ve assigned users access.

Below other tips useful for MongoDB admins:

  • Check the MongDB accounts to see if no one added a secret (admin) user.
  • Check the GridFS to see if someone stored any files there.
  • Check the logfiles to see who accessed the MongoDB (show log global command).

In December 2015, the popular expert and Shodan creator John Matherly found over 650 terabytes of MongoDB data exposed on the Internet by vulnerable databases.

Other clamorous cases of open MongoDB exposed on the Internet were found by the researcher Chris Vickery.In December 2015 the security expert Chris Vickery discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

Pierluigi Paganini

[adrotate banner=”22″]