12,564 Unsecured MongoDB Databases Deleted by Attackers

A total of 12,564 unsecured MongoDB databases have been deleted in the course of three weeks. A message is left after the deletion prompting databases’ owners to get in touch with the hackers to have the data restored.

Thousands of MongoDB Databases Deleted

The attackers were discovered and reported by independent security researcher Sanyam Jain. The researcher believes that the hacker(s) behind the attacks is most likely charging money in cryptocurrency, and according to the sensitiveness of the database, the sum may be bigger or smaller.

The researcher first spotted the attacks on April 24, when he first came across a wiped MongoDB database which didn’t contain the usual huge amounts of leaked data but rather the following note: “Restore ? Contact : [email protected]”.

Related:

Misconfigured MongoDB databases are the latest targets hence victims of ransomware. Successful attacks against MongoDB have doubled within a single day, researchers say. Servers running MongoDB were first targeted in December 2016, but the scale of the malicious attempts was…Read more

MongoDB Ransomware Attacks Misconfigured Servers.

In other words, the hackers were leaving ransom notes asking the victims to contact them via email in case they want their data restored. Provided emails included [email protected] or [email protected].

Since no other details were given such as an exact ransom amount, it’s very likely that the hackers are open to negotiate the terms of data recovering.

This is not the first time MongoDB databases are attacked this way. In 2017, at least 28,000 misconfigured MongoDB databases fell victims to hacker attacks. The attacks were possible because the servers were accessible via the Internet. The compromised servers were also misconfigured or prone to vulnerability exploits (due to unpatched flaws).

Then, in 2018 MongoDB databases were at risk of the so-called MongoLock ransomware. Bob Diachenko – the security researcher who first discovered the malicious campaign shared that attackers would connect to an unprotected database and simply erase it. A new database called “Warning” with a collection inside it named “Readme” would be left in place of the old database. The Readme collection contained the ransom message which claimed that the database had been encrypted and that the victims needed to pay for restoration.

The MongoLock attack also didn’t ask for specific amount of money and left email addresses for the victims to get in touch with its operators.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Read more…

Leave a Reply

Your email address will not be published. Required fields are marked *