For the past week, a number of us have been watching the explosive growth of attacks on misconfigured MongoDB installations. Victor Gevers of GDI Foundation and Niall Merrigan, a Norwegian developer, have been providing yeoman service investigating the problem, making notifications, and keeping us all apprised of their findings through their Twitter accounts.
It all started scarily – but simply – enough with attackers removing files from MongoDB installations that had been left open on Port 27017. The attackers removed files and created a replacement database with a catchy name like “CONTACTME” or “PLEASE_READ.” The ransom notes said that the attacker had preserved all the data, and the victim could recover it if they sent BTC to the specified BTC wallet in the note. Once the payment was made, the victim was to email the attacker with their IP address, at which time, their data would presumably be returned to them. If prompt payment wasn’t made, well, the data would be permanently destroyed.
It seemed like a straightforward ransom model when DataBreaches.net reported on how Emory Healthcare had apparently become one of its victims.
Within days of the first attacks, one attacker (HaraK1r1)’s email account was closed. Anyone making a payment and then attempting to email HaraK1r1 to get their data back would not have been able to do so.
Then, and as other attackers joined the party, they seem to have stomped over each other’s work:
In Dec 2016 @GDI_FDN warned a 60 companies for an open MongoDB
47 were hit by harak1r1 on 1/2. On 1/5 0wn3d overwrites note on 33 of them.— Victor Gevers (@0xDUDE) January 5, 2017
One attacker even acknowledged that this might have happened, in which case, they wrote, a partial refund would be offered.
But of greater concern, and as Victor Gevers has been trying to warn victims since January 5, most of these hackers are lying (what a shock, right?).
Gevers and Niall Merrigan are finding evidence that although the hackers claim they have saved your data and will return it, for the most part, that is not what is happening. What is happening, the researchers claim, is that the data are just being wiped. There appears to be one attacker who may be saving some of the data, but overall, this now appears to be a tremendous scam where attackers claim to have stolen your data, and if you’ll just pay them, you’ll get it back, when in reality, they’ve just deleted your data. Why should they pay for all that storage space, right, if they can get you to send them about $200 in a panic?
As of the time of this posting, there have been about 12 accounts/attackers, each with its own email address and bitcoin wallet(s), and there have been more than 11,253 MongoDB installations that have been wiped in the past few weeks.
For a listing of known attacker accounts with their corresponding email addresses, bitcoin wallets, and additional details, see this helpful document created and maintained by Gevers and Merrigan.
DataBreaches.net will continue to cover this situation.
But NOW will you take a minute to check whether your MongoDB installation is secure? If it’s not, you may wind up locking the barn door after the horse gets stolen or worse, killed. MongoDB has provided these instructions for how to avoid becoming a victim.