In December-2016, attackers were exploiting misconfigured open-source MongoDB databases and holding them for ransom. Bitcoin chart The ransomware attacks against MongoDB were first publicly reported by GDI Foundation security researcher Victor Gevers on Dec. Bitcoin exchange chart 27, 2016, and have been steadily growing ever since, with at least five different groups of hackers taking control of over 10,000 database instances.
Mongo databases which were not password protected have paid heavy price for this vulnerability. Well it was not a vulnerability. Vulnerability is a quality or state of being exposed to the possibility of being attacked or harmed. It was ignorance and when you ignore serious aspects like security, you have to pay unbearable price.
Above is a screenshot, which shows how hacker hacked into vulnerable mongo databases. Now after taking control of the database, they are simply removing the existing db and putting a ransom note in the table.
In above example, they removed the database and created a db name warning.
Here is ransom note in collection warning :
Send 0.1 Bitcoin to walletaddress 131qpnP9v2qGKbrAQirCZzunyw5x3dADsB and contact [email protected] to get your databases back.
Remedy :
Mongo DB admin must need to implement strong password for their databases as well as if code is on same server, they need to close the port 27017. They do not need an opened port for remote access if code is able to access database locally.
