Over the past three weeks, over 12,000 MongoDB databases have been deleted, with hackers demanding ransom in return for their restoration.
This type of cyberextortion is not new; MongoDB and similar companies have been targets of attacks like this for years. According to Bleeping Computer’s report, this latest series of database hits was found by Sanyam Jain, an independent security researcher. Using the internet-connected device search engine BinaryEdge, Jain identified 12,564 vulnerable MongoDB databases that were wiped. He also found that the attacks were connected to the hacking group Unistellar.
Jain first noticed the attacks in April when he found a wiped MongoDB database containing a short ransom note. Further investigation showed more wiped databases and two email addresses left by the attackers that were connected to Unistellar.
The report notes that attackers are likely finding remotely accessible and publicly available MongoDB databases through search engines like BinaryEdge and Shodan, and that the process is probably automated. After finding and connecting to the unprotected databases, the script will delete what it can find. The hackers also create restore points so that if victims do pay the ransom, they can restore the data. While previous MongoDB attacks specified a ransom amount in bitcoin, this recent campaign leaves only the contact emails for communication and negotiation of recovery terms.
This report comes just a few weeks after the discovery of several privacy incidents involving MongoDB in India. In April, the records of 12.5 million pregnant women were left exposed on a public database, and in May, there were reports of 275 million records also wiped by Unistellar.
How to secure databases
These frequent attacks on vulnerable databases highlight the importance of effective protection. Database owners should know that these are mostly preventable cases, and attacks like these can likely be stopped by setting up strong database security. To prevent attacks against MongoDB, users should follow the program’s security checklist. The list discusses the proper way of enforcing authentication, enabling access control, and limiting network exposure — all necessary for effectively securing databases.
Deploying a publicly accessible data source that is directly connected to the internet has its risks. If it is the right design choice for an enterprise, understanding the technology and services in the solution stack is the next step to a strong defense. Limiting the privileges of front-end identities making requests should be considered, as well as making sure that each session uses a unique ID instead of a having single ID for the entire application.
After determining what and where to deploy applications, basic testing should be done to ensure that they’re configured properly. As part of regular deployment testing, basic tests should be run to see if services are accessible from appropriate places.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).