January has been a rough month for anyone that a.) uses the popular MongoDB database software, and b.) doesn’t really know how to secure it.
A flurry of ransomware attacks have targeted the platform, taking advantage of installations that have the administrator account configured without a password.
When we initially covered it, around 10,500 systems had been compromised. That number rather swiftly soared to almost 30,000, as the number of hacking groups targeting MongoDB increased exponentially.
One of the groups that targeted MongoDB, called Kraken0, is now selling their exploit code, in a move that all-but guarantees to increase the number of actors targeting the platform.
Kraken0 is actively trying to sell their ransomware kit for open MongoDBs (34.503 victims) & Elasticsearch (4,607 victims) worldwide. pic.twitter.com/VThCCNPkqd
— Victor Gevers (@0xDUDE) January 18, 2017
Included in the package is malware for both MongoDB, as well as Elastic Search, which has similarly been the target of ransomware attacks over the past month.
Also thrown in is a list of 100,000 potentially vulnerable MongoDB IPs, 30,000 Elastic Search IPs, and a tool to scan the entire publicly-facing Internet for further vulnerable systems.
A copy of the source code will set you back $500, payable in Bitcoin. If you’re not too concerned with making modifications to the code, you can get a binary for just $100.
By turning their ransomware into a commodity, it means that anyone with enough cash can start targeting vulnerable databases. Now more than ever, it’s important for people using MongoDB and Elastic Search to learn how to secure their systems.
We’ve reached out to MongoDB and Kraken0 for comment. If we hear back from them, we’ll update this piece.