Kromtech Security has done a follow-up on reports from last year about misconfigured MongoDB installations having their data deleted and replaced by “ransom” messages. The attackers were having a field day back then, but what is happening now?
So Kromtech decided to employ a honeypot. It went live on March 1, 2018. And here’s what happened next:
Immediately upon placing it on the Internet we noticed the regular flurry of automated port scans from many different parts of the globe. However, the first real connection to the database was made on March 2, 2018 and from a security research search engine from the Shadowserver Foundation.
What came next was a slight surprise, there were plenty of port scans, but there were no other direct connections to the database for ten days.
The next direct connection came from the security research search engine Shodan. Shodan indexed it on March 11th, 2018, 13:52:31.782349 UTC and retrieved data about the database and it’s (sic) collections.
Three hours and twenty-four minutes following Shodan indexing, the database was first compromised by an IP address we traced to China.
Read more from Bob Diachenko about the compromise and ransom message on MacKeeper’s Security Research Center.