Over the course of a turbulent week, several hackers were able to break into over 10,500 systems running the MongoDB database software.
Once inside, the attackers would wipe the database and leave a ransom note, essentially demanding payment to restore it to its previous state. This is typically between $150 and $500, and paid in Bitcoin.
According to Merrigan and Gervers, some of the hacking groups targeting MongoDB (it’s believed that there are now eight) don’t even bother to make a copy of the victim’s data. Even if they pay the ransom, their data is permanently lost.
Gervers says that he’s identified 84 examples of servers that have been hacked and left with a ransom note, yet have “no trace of data exfiltration”.
Complicating matters further, there’s evidence that groups are re-hacking already hacked servers in order to replace the ransom note with their own. This makes it almost impossible to know who to pay the ransom to.
Speaking to Beeping Computer, Merrigan described the situation as “bedlem [sic],” and said “attackers are deleting each others’ ransoms as quick as they pop up.”
He also said that the spate of popped MongoDB systems was a “gold rush”, and he expected more hacking groups to start targeting the software.
Perhaps the most staggering fact from this story is that this was all possible due to user error. In every case, the MongoDB server had an administrator account that was configured without a password.
Let’s call this what it is: Gross negligence. Especially when it’s trivially easy to set up authentication in MongoDB.
In response to this spate of hackings, MongoDB Inc, the developers of MongoDB, have released an updated guide to MongoDB security, with an emphasis on mitigating against these ransomware-inspired attacks.
While it’s too late for the 10,500 servers that have already been popped, it will hopefully prevent anyone else falling victim to it.