Please be advised of a new attack type dubbed “Mongo Lock”, which targets remotely accessible unprotected MongoDB databases. In this scam, malicious actors scan the internet for vulnerable servers and once located, export and then the delete server content. A ransom note is then generated demanding bitcoin payment in return for the deleted content.
Reports state that following deletion, the malicious actors will leave a new database named “Warning”, which contains a Readme collection. The following is sample ransom note text from the Readme collection in this attack:
Your database was encrypted with ‘Mongo Lock’. If you want to decrypt your database, need to pay us 0.1 BTC (Bitcoins), also don’t delete ‘Unique_KEY’ and save it to a safe place, without that we cannot help you. Send email to us: mongodb[at]8chan[dot]co for decryption service.
(Text courtesy of BleepingComputer).
According to the security researcher who discovered the attack (Bob Diachenko), the scripts automating the process of accessing MongoDB, exporting and then deleting do not always work. He notes that sometimes the script fails and the data is still available to the user even though a ransom note has been created.
For MongoDB recommendations, including a security checklist of recommended actions, please see the following resources:
- https://docs.mongodb.com/manual/security/
- https://docs.mongodb.com/manual/administration/security-checklist/#enable-access-control-and-enforce-authentication
Resource: https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/