Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Unprotected MongoDB Installations: child’s play for hackers

Hacker held open MongoDB databases for ransom

In the last weeks, security experts observed a significant increase in ransom attacks against unprotected MongoDB databases.

Victor Gevers, the Co-founder of the GDI Foundation , was the first expert that noticed the attacks and warned of poor security for MongoDB deployments in the wild.

In a first time, the security researcher discovered 196 instances of MongoDB that were wiped by cyber criminals that were held for ransom.

The expert also noticed that a hacker who goes by online moniker Harak1r1 was behind the ransom attacks. The cyber-criminal was demanding 0.2 BTC, roughly $200 at thetime of the attacks, to restore the installation. To verify the ownership of the installation, Harak1r1 requests system administrators to provide their email.

For hackers and security experts is quite simple to identify open MongoDB installations by using custom scripts or search engines like Shodan and Censys.

On December 27, Gevers discovered a MongoDB server that was left open without authentication through theInternet.

“Unlike otherinstances, he discovered in the past; this one was different. When he accessed the open server, instead of looking at the database’s content, a collection of tables, Gevers found only one table, named “WARNING.”” reads a blog post published on bleepingcomputer.com.

The attacker accessed the open MongoDB database, exported its content, and replaced all data witha table containing the following code:

{ “_id” : ObjectId(“5859a0370b8e49f123fcc7da”), “mail” : “harak1r1@sigaint.org”, “note” : “SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !” }
“I was able to confirm [this] because the log files show clearly that the date [at which] it was exported first and then the new database withtablenameWARNING was created,” Gevers told BleepingComputer. “Every action in the database servers was being logged.”

The security researcher notified victims their database were hacked:

“Criminals often target open databases to deploy their activities like data theft/ransom. However, we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” he wrote in the notification letter sent to the victims.

Unprotected MongoDB Installations: child’s play for hackers
Figure 1 Hacked MongoDB Installation

Gevers searched on Google for the email address used by the hacker and the Bitcoin address used for the payments. The analysis of the Bitcoin address allowed him to verify how many other users were victims of the same attacker. At the time of this writing, the analysis of the Bitcoin walletused by Harak1r1 revealed that at least 22 victims appeared to have paid.

In the following weeks, the number of hacked MongoDB databases rapidly increased.

According to the Australian Communications and Media Authority Antipodes, the number of systems compromised by hackers more than double to 27,000 in just a day.

The analysis of the Bitcoin walletused by Harak1r1 revealed that at least 22 victims appeared to have paid.

Thesecurity researcher Niall Merrigan explained that the number of attacks has soared from 12,000 earlier to 27,633 in just 12 hours. The expertbelieves the ransom attacks were powered by at least 15 different actors. One of the attackers goes online with the moniker ‘kraken0,’ and he has compromised 15,482 MongoDB databases, demanding victims the payment of 1 bitcoin ($US921).

Merrigan explained that hackers follow a specific strategy, they use Shodan to scan for open MongoDB databases, then connect them using anonymous access to list all available databases.

Crooks may or may not download the database before wiping the archive; they use to leave just a single file that informs victims of the attack and instruct them on how to pay the ransom.

According to the researcher Adrian Sanabria (@sawaba), Shodan only reports a varying fraction of the overall number of MongoDB in the wild open to the Internet, for this reason, Gevers also analyzed another search engine called ZoomEye who reported 99,491 candidates.

Merrigam and Gevers collected information about compromised MongoDB installations and related actors in the following document:


“It’s like the kidnappers keep delivering the ransom notes, but you don’t know who has the actual original data,” Merrigan said. “That’s why we’re tracking the notes, so that if we see the [databases] are being exfiltrated by the thieves, we can know the guys who should actually get paid if they want to get their data back.”

A few days later the Australian Communications and Media Authority Antipodes, that is monitoring exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit, reported about 400 exposed MongoDB databases a day to 90 percent of Australia’s network providers via the Australian Internet Security Initiative (AISI).

Unprotected MongoDB Installations: child’s play for hackers
Figure 2 AISI statistics on Exposed MongoDB published by ElReg

It is interesting to note that the same hackers behind the MongoDB installs have started targeting Elasticsearch clusters that are unprotected and accessible from the internet.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source; it is used by many organizations worldwide.

Crooks are targeting Elasticsearch cluster with ransom attacks in the same way they have made with MongoDB.The news was confirmed on the official support forums this week, a user who was running a test deployment accessible from the internet reported hackers removed all the indices and added a new index “warning” was created there.

The user has found thefollowing text from the raw index data:


Something quite similar to the recent ransom attacks against MongoDB.

“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom. Although no malware, or “ransomware” was used in these attacks, and the

Viewing all articles
Browse latest Browse all 12749