June 9, 2023

Hackers has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password, a number that accounts for roughly 47% of all MongoDB databases accessible online.

The hacker is using an automated script to scan for misconfigured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a 0.015 bitcoin (~$140) payment.

Initial attack didn’t have data wiping stpes the attacker kept connecting to the same database, leaving the ransom note, and then returning again to leave another copy of the same ransom note, a few days later.

Ransom Note

Similar attacks happening since late 2016

“MongoDB wiping & ransom” attacks aren’t new, per-se. The attacks Gevers spotted today are just the latest phase of a series of attacks that started back in December 2016, when hackers realized they could make serious money by wiping MongoDB servers and leaving a ransom demand behind, tricking server owners desperate to get their files back.

More than 28,000 servers were ransomed in a series of attacks in January 2017, another 26,000 in September 2017, and then another 3,000 in February 2019.

Almost three years later, nothing appears to have changed. From the 60,000 MongoDB servers left exposed online in early 2017, the needle has barely moved to 48,000 exposed servers today, most of which have no authentication enabled.

Most of the time, these servers get exposed online after administrators follow incorrect MongoDB configuration tutorials, make honest mistakes when configuring their systems, or use server images that come packed with a misconfigured MongoDB system out of the box.

The default MongoDB database setup today comes with secure defaults out of the box, but despite this, we still have tens of thousands of servers that get exposed online on a daily basis for one reason or another. For server admins looking to secure their MongoDB servers the proper way, the MongoDB Security page is the best place to start for getting the right advice.

Leave a Reply

%d bloggers like this: