Ransomware hackers hacked more than 26,000 MongoDB servers

Information security researchers have reported a new wave of ransomware hacker attacks on servers installed by MongoDB. Since last time, more than 26,000 servers have been hacked, and 22,000 of them were attacked by a single cyber group.

The attacks were noticed by researchers Dylan Katz and Victor Gevers. According to them, the hacks continue the so-called “ MongoDB apocalypse ”, which began in December 2016 and lasted several months in 2017 - then hackers attacked poorly configured MongoDB servers, whose administrators did not ban external connections to them. The standard attack scenario looked like this: first, hackers penetrated the server, deleted all information from the database and demanded a ransom for its recovery.
')
Most of the attacked servers were test systems; however, in some cases, attackers managed to gain access to productive databases — so some companies had to pay a ransom, but no one returned them.

New wave of attacks

Several security researchers kept statistics on attacks on MongoDB in a special table in Google documents — more than 45,000 databases were destroyed during the Apocalypse. At the same time, ransomware attacks spread to other technologies - for example, ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL.

In the summer of this year, the activity of extortionists began to decline, but last week just three cybergroups began to conduct new attacks. Researchers have identified the number of hacker groups based on the number of email addresses used to send redemption cru3lty@safe-mail.net ( cru3lty@safe-mail.net , wolsec@secmail.pro , mongodb@tfwno.gf ) - although experts from Positive Technologies consider this calculation method to be questionable.

Fewer attacks, bigger consequences

In an interview with Bleeping Computer, Victor Jever declared that the number of burglars has decreased compared to the wave of attacks last year, but the scale of their actions has increased - the average number of victims of one attack has increased several times. For comparison, during the last wave of attacks on MongoDB, hackers spent a month breaking into 45,000 servers. At the same time, the Cru3lty cyber grouping was able to reach half of these figures in just a week.

According to Zhever, he even recorded cases of repeated attacks, when the administrator restored the database from backups, and then on the same day attacked her again. The researcher is not yet sure why attacks become possible - it is unclear whether the victims are using an outdated version of MongoDB or incorrectly setting up the DBMS.

MongoDB system security is a known issue. Back in 2015, the founder of the Shodan search engine, John Matherly, published research data, according to which more than 30,000 MongoDB copies were available from the Internet without access control.