The initial attack on MongoDB was so successful that cybercriminals returned to strike it again
Cybercrime is increasing, so if your database has been left open for external connections, prepare to experience bedlam. Over the past several months, hackers have been having a heyday, taking a pause, and re-emerging to make profits by turning insecure MongoDB default configurations into a Bitcoin ransom opportunity.
The recent wave of MongoDB attacks hit over 26,000 servers, with the cybercriminals demanding Bitcoin payments from each victim. This development has alarmed many. It underscores the importance of acting with a sense of urgency and paying close attention to extensive security protection and best practices.
It can be noted that once cybercriminals are able to penetrate vulnerable devices, they tend to keep experimenting with their mode of attack. In other words, once they see how lucrative a business model has been, they revert to it. This is particularly true if they find numerous servers running the open source database still have not taken proper precautionary measures.
Founded in 2007, MongoDB ranks among the top seven free and open source database software solutions. It is reputed to handle big data well. Since its inception, it has been downloaded about 20 million times.
Around eight months ago, hackers were able to break into more than 10,500 systems running the MongoDB database software. The next step in the infiltration is to wipe the database and leave behind a ransom note demanding payment for its restoration to the previous state. Numerous companies that fell prey paid to get back their data.
The attacks first occurred in December 2016. By early January this year, numerous attacks on unsecured MongoDB databases took place. Security professional Niall Merrigan tweeted about the massive jump in ransomed databases since the initial attacks. Security researcher and GDI Foundation Co-founder Victor Gerver noted that some of the hacking culprits have not made copies of their victims’ data.
Hence, even if ransom is paid, data may have been obliterated. Companies that have been victimized realize too late that they were duped. In some cases, companies learn that the cybercriminals did not even have their data in the first place, and they were given bogus ransom notes.
To date, the security researchers have been busy collaborating with other experts to analyze the big wave of MongoDB hijacks. Multiple hacking crews were reportedly behind the recent cybercrime. One group was deemed responsible for hijacking over 22,000 machines through an external connection. Two other groups were not as successful, but still victimized numerous entities.
Beyond relying on reports culled by security researchers, companies running unsecured MongoDB databases must be ready to respond to repeated attacks. The biggest lesson learned from the MongoDB attacks is the crucial need for mitigation against such ransomware-inspired attacks.
Indeed, poor security and gross negligence have their perils. Hackers who scored major initial successes have been emboldened to strike again. Database administrators need to re-evaluate security settings and be on guard against cybercriminals.
