Hacker hijacks 23k misconfigured MongoDB databases; threatens to leak data

A hacker has uploaded ransom notes on as many as 22,900 misconfigured MongoDB databases after wiping their content, thereby forcing hundreds of companies to either pay up or lose their data altogether.

The number of MongoDB databases targeted by the hacker account for almost half of all MongoDB databases accessible online, ZDNet reported, adding that the hacker is demanding 0.015 bitcoin (£109.12) for each hijacked MongoDB database.

As per the ransom notes that are named (READ_ME_TO_RECOVER_YOUR_DATA), if the owners of the misconfigured databases fail to make the payment within two days, the data stored in their respective databases will be leaked online and the leaks will be reported to the owners' local General Data Protection Regulation (GDPR) enforcement authority, thereby attracting penal action.

Victor Gevers, a security researcher at GDI Foundation, told ZDNet that while the hacker had begun planting ransom notes on misconfigured MongoDB databases from April this year, the hacker is now actually wiping data from these databases and a lot of these databases contain production data critical for organisations.

Misconfigured databases leaking billions of records online every year

All of the MongoDB databases accessed by the hacker are accessible online due to misconfiguration on part of their owners. Such databases leak billions of enterprise and customer records every year and it takes intense efforts from security researchers from all over the world to identify such databases and report them to their owners.

According to a research conducted by Digital Shadows, as many as "2.3 billion data files are being made publicly available by misconfigured and non-secured technologies" that include Amazon S3 buckets, Server Message Block (SMB), File Transfer Protocol (FTP) and rsync servers.

If discovered by hackers, these databases can provide invaluable information required to create fake profiles, steal money from banks, make unauthorised purchases using payment card details, and carry out phishing attacks.

The number of data files available in these non-secured servers rose by 50% between March 2018 and June 2019 and these files included highly-sensitive information such as patient records, medical images like X-ray scans, passport scans, asset documents, employee passwords, and financial records.

According to Digital Shadows, most data records were exposed by unsecured SMB protocols while FTP and rsync servers exposed 20 percent and 16 percent out of the 2.3 billion data files. Amazon Web Services has introduced a new feature called "Block Public Access" which has reduced data exposure to an extent but the overall volume of exposed documents still increased because of a lack of security in other servers.

Organisations that misconfigure MongoDB databases must face legal action

Commenting on a hacker gaining access to and wiping data from almost 23,000 MongoDB databases, Ilia Kolochenko, Founder & CEO of ImmuniWeb, said that this large-scale extortion campaign may bring a powerful boost to cybersecurity awareness as many organisations carelessly expose terabytes of confidential and sensitive data online in unprotected cloud or databases.

“I think governments should mandate special agencies or law enforcement teams to crawl and monitor the Internet for such leaks affecting their jurisdictions. Once detected, legal action should be taken against the company behind the leak and all costs of the monitoring and investigation should likewise be imposed on the guilty company.

“Organisations, on their side, should urgently implement continuous attack surface monitoring and implement a well-though third-party risk management program. Today, many disastrous incidents and data exposures stem from negligent suppliers or vendors that have a privileged access to the data of their clients and fail to properly secure it.

“Paper-based questionnaires won’t help, and more proactive monitoring of attack surface and Dark Web for the data stolen from your suppliers is a requisite in 2020. Otherwise, we will certainly see a steady surge of such leaks,” he added.

MORE ABOUT: