Bitcoin Databases Privacy Security The Almighty Buck Technology

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com) 42

Posted by BeauHD from the give-me-your-money-or-else dept.
An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

  • lol (Score:1, Insightful)

    by Anonymous Coward

    a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

    • a passwordless admin interface exposed to the internet?

      It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.

  • Managed by morons (Score:3)

    by rossz ( 67331 ) <ogreNO@SPAMgeekbiker.net> on Wednesday January 04, 2017 @05:55PM (#53607137) Homepage Journal

    Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

    • Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

      This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.

      Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.

    • Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.

      If they were the price would be set higher.

    • Re: (Score:2)

      by tomhath ( 637240 )

      I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

      If that's what actually happened, the Mongo project has some explaining to do

      • I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

        If that's what actually happened, the Mongo project has some explaining to do

        Wow. If that's true that's the most mindblowingly insane thing I've ever heard about Mongo. I avoid it because of a host of other issues, but if they actively screwed installs - and any of those users have support contracts with MongoDB Inc - it could well spell the end of the company. Can't find anything on the webs about it, so if you do stumble across any details I'd be interested to see them.

  • $200 (Score:3)

    by ShanghaiBill ( 739463 ) on Wednesday January 04, 2017 @05:56PM (#53607147)

    ... asking for 0.2 Bitcoin ($200) ransom

    That seems like a modest ransom. At least he isn't greedy.

    • Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.

    • Re: (Score:2)

      by plopez ( 54068 )

      How do he get rich! Volume! As well as the attitude of "let's just pay it it's so small". Factor in that it might even be a misdemeanor in some places. And we do not even know how many places were hit. Overall a clever strategy.

  • Clearly... (Score:5, Funny)

    by QRDeNameland ( 873957 ) on Wednesday January 04, 2017 @05:56PM (#53607149)
    MongoDB attacks are Web Scale.

  • Too bad there's no CVE for retarded admins (Score:1)

    by Anonymous Coward

    If there was a CVE assigned for every stupid mongodb admin, they'd have blown Android out of the water.

    You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!

  • Those pesky Russians are at it again.

  • Fuck these ransom guys. Keeping good backups is a little bit of extra work, but at least you have the option to restore, even if you've been hacked because of gross negligence / shameful ignorance / plain stupidity like this.

    • You think that someone who didn't bother setting an admin password for an Internet facing database bothered to configure backups for it?

  • The idiot developers that want everything in [ insert the name of your currently favorite dev language here ] including security!

    They all want a single, or better yet, no username and password on the db in question! When will the developers EVER learn, anything

    • Re: (Score:2)

      by plopez ( 54068 )

      This is one big reason I have come to hate IT and developers. The same stupid mistakes over and over again. And when you flag it you get a an attitude of "u r old sk3w1", "you don't get it", etc.

      And in at least 2 cases I tried to warn them and when the fecal material impacted the rotary air circulation device guess who got blamed? The guy who tried to stop them. As if I had somehow jinxed them by trying to help them.

