Please be advised that there has been a resurgence of attacks on vulnerable MongoDB servers. The attacks involve malicious actors seeking out MongoDB installations that are poorly implemented and accessible to the internet without a set administrator password. After attackers gain access, they export or delete the data and replace it with a ransom note. The following is an example of ransom note text:
“We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC [$650] and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored.”
Please be reminded that ransom payment does not guarantee the restoration of data. In these attacks specifically, there have been reports of ransom payment, but no reports of data restoration (see, https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/)
Recommendations:
- Users/admins should not rely on server default settings and should instead follow the recommendations on the MongoDB Security Checklist.
- Make sure to perform database backups on a regular basis.
- Users/admins should perform regular checks on their server’s services, and ensure that all applications are patched/updated and unnecessary services have been shut off.
- View the “We’re Always Striving to Make Deployment Easier” section of the vendor blog post dated 9/8/17 for a robust list of available resources.
For additional information please see:
- https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-data
- NJCCIC Cyber Alert, https://t.e2ma.net/message/gv0upb/0u9kyod
- https://www.infosecurity-magazine.com/news/mongodb-installations-held-to/