In the past few weeks 34,503 MongoDB database servers have been hacked and held for ransom; and it’s not because of a flaw in MongoDB or anything like that—it’s because the database administrators didn’t put a password on the admin account.
In every case researchers Niall Merrigan and Victor Gerves were able to find, the public-facing MongoDB database servers had no password configured for the administrator’s account on the server. So the front-door was wide open for hackers; and boy did they come. It was a couple of weeks ago that people started noticing that all of the data in their databases were gone, and in it’s place was a ransom note demanding typically between $150 and $500 in bitcoin in return for the data to be returned.
Back when the count was at 10,500, Merrigan and Gerves estimated that 25 percent of all publicly-accessible MongoDB servers had been hit; wiping out more than 100TB of data.
There is strong evidence that some of the hacking groups involved in this attack aren’t even keeping copies of the data. So even if the victims pay the ransom, the data won’t be restored. Current estimates by Merrigan and Gerves say that victims have paid a total of $20,000 in bitcoin and have not gotten any of their data back.
There is also evidence that hacking groups are stealing each other’s victims. Many honeypot servers have been hacked multiple times; each time, the ransom note was replaced by a ransom note from another hacker. That way the victim might accidentally pay the latest hacker, not the original one, making it impossible to know who really stole your data, and if you’ll ever get it back by paying the ransom.
And to make matters worse, one group was found selling their source code for $500 in bitcoin, which included a tool to scan the entire internet for vulnerable databases.
To Learn More: