Over 27000 MongoDB Databases have been held at ransom by a hacker going by the name of Harak1r1. The hacker, who is targeting insecure MongoDB installations, is copying then deleting unpatched or poorly protected databases and then demanding some sort of ransom from the admins.
The first hit was on Monday. It was only discovered when security researcher Victor Gevers spotted about 200 installations whose owners were being forced to pay ransoms for them to regain access to their data.
By Tuesday, the number of victims shot up to 2,000 and this was reported by the founder of MongoDB, John Matherly. On Friday, the number grew further to 10,500 as noted by security researcher Niall Merrigan.
But recent data indicates that the number of victims is now at 27,000 in just 12 hours.
However, according to recent statistics compiled by Merrigan, the number of compromised systems has reached more than double to 27,000, over the course of about 12 hours.
Apart from the increasing number of victims, the other problem is that the ransoms are growing, too. Initially, 0.2 Bitcoins, which translates to about $184 dollars, was the ransom demanded by the hacker. 22 victims paid the figure. However, the demands have grown to about 2 Bitcoins which is about 900 USD.
The researchers have taken note of 15 different attackers. The largest number of these hacks seem to have been done by a hacker using email kraken0 who has compromised about 15,000 MongoDB accounts and wants about 1 Bitcoins from each victim. No-one has paid the attacker at the moment.
This implies that after the story went public, more attackers took interest in the weakness and attacked the databases by accessing, copying, and deleting any poorly configured data.
Although much of the blame falls on the hackers, users of MongoDB databases with poor configuration are to blame as well. All the victims had one thing in common: they all were administrators who had set up their databases without a password.
Many poorly secured MongoDB databases can spotted with the Shodan search engine and at the moment, it shows that there are over 99000 insecure MongoDB accounts.
How can you Protect Yourself?
At the moment, it is not clear whether the hackers first indeed copied the database before deleting them. The ransoms being claimed in exchange for data restoration are therefore dubious.
Gevers advised all the affected database owners to avoid paying the hackers and get help from security professionals. So frame and Merrigan have assisted about 112 victims to secure their vulnerable databases.
People who use MongoDB to administer their databases are encouraged to follow these steps:
Switch on authentication that gives you ‘Defense in depth; if your network is attacked. Edit your MongoDB configuration file – auth =true
Make use of firewalls – Disable remote access to the MongoDB, if possible. Avoid common risks by blocking access to port 27017 or binding local IP address to limit access to servers.
Use firewalls — Disable remote access to the MongoDB, if possible. Avoid common pitfalls by blocking access to port 27017 or binding local IP addresses to limit access to servers.
Administrator are also encouraged to update their software to the latest version of MongoDB.