For the last couple of years, hackers have been exploiting unprotected MongoDB based servers to steal data and hold the exposed databases for ransom. Hackers leaked 36 million records of internal data collected from several vulnerable servers.
The information security training researchers from German firm Kromtech conducted an experiment in which they purposely left a MongoDB database exposed to the public and kept an eye on the incoming connections, to determine and measure the depth of attacks against MongoDB.
The matter seriousness can be understood by the fact that in 2015 John Matherly of Shodan, the world’s first search engine for the IoT devices revealed that there are over 30,000 unprotected MongoDB databases exposed for public access.
The honeypot (a security mechanism set to detect and counteract attempts at unauthorized use of information systems) database contained 30GB of fake data. It took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin according to Kromtech’s post.
In 2017, hackers held several MongoDB databases for ransom and demanded 0.2 Bitcoin in return. It is unclear if the hackers who took over the honeypot database are part of the same group. However, according to Kromtech’s Chief Communication Officer Bob Diachenko, the attack on their database has been traced back to China.
The information security training researchers are certain that only an automated script can complete such task within 13 seconds.
Information security analysts from Kromtech noted “The attacker connects to our database first, then drops the databases to delete them, drops the Journals to erase their tracks, creates a database called Warning with Readme collection and the Solution Record, then drops the Journals again to cover their tracks. This was all completed in just thirteen seconds, leading to the conclusion that this was the work of an automated script”.
The information security training experts are advising users to secure their database since exposed MongoDB servers are still at risk. Another important aspect of ransom attacks against MongoDB is that hackers are simply deleting the database therefore even if victim pays them off, their data will never be returned.