47% of MongoDB databases exposed online, hacker tries to ransom them

22,900 is the number of MongoDB databases on which a hacker uploaded ransom notes.

These databases should be noted were exposed online without any prior protection. This exhibition includes just 47 percent of MongoDB online accessible databases.

This article will also interest you: Ransomware attack: a Polynesian company has been surprised

To find the databases discussed here, the hacker used automated codes to search for them online. Once he got it, he simply deleted the contents, and the place left a note where he demanded payment in a way of 0.015 bitcoin, or $140

Subsequently, the cybercriminal gives the company 2 days to pay the ransom. If this is not done as a request, he then threatens to disclose the data he has collected, and then contact the authorities in charge of compliance with the RDPD, the general regulation on the protection given, to report a leak.

Since April 2020, such attacks requiring ransoms of the type (READ_ME_TO_RECOVER_YOUR_DATA) have been observed several times. According to Victor Gevers, an expert in computer security, pointed out that this practice was not originally accompanied by data erasure.

The hacker continued to stay connected based on the years concerned and then left a new note a few days later.

The perpetrator continued to log into the same database, leaving the ransom demand, then returning to leave another copy of the same request a few days later.

According to our cybersecurity expert, Victor Gevers, some of the data recovered by the cybercriminal were just for testing tools, a large part of the production systems were affected because their data was deleted. The expert had pointed out that he had noticed in the course of his task, in the GDI Foundation, that the data concerned had indeed been erased earlier in the day during the various checks of the MongoDB systems. Systems that he had the task of monitoring and securing. "Today, I was only able to report one data leak. Normally, I can do at least 5 or 10," notes Victor Gevers.

According to the latter, it is possible to observe this kind of cyber attack continuously since the end of 2016. Indeed these kinds of attacks on data in the context of "MongoDB wiping – ransom" are not in practice, something recent. The attacks repeated by the computer security expert come against a backdrop of computer attacks that have been going on since November 2016.

And for good reason, hackers realized that they had the opportunity to make a lot of money. Simply by copying and erasing the data from MongoDB servers, with a ransom demand instead. As they certainly know, server owners who often despair of losing their data, are often tempted to pay the sums required to recover it.

There are nearly 28,000 servers that were allegedly targeted by serial cyberattacks in January 2017. In September 2017, the number was 26,000 and in February 2019 at 3000. A way to show the recurrence of these security incidents.

MongoDB's senior director of product safety, Davi Ottenheimer, accused the owners of the database in 2017 of failing to take appropriate security measures to protect them, as well as exhibitors with cyberattacks. Because there are several of these databases that didn't have firewalls. Unfortunately even 3 years later, no improvement has been observed at this level. Of the 60,000 servers indexed by the Director of Security, 48,100 are still exposed on the internet without any protection. And the majority of them don't have a real authentication mode enabled.

In the majority of cases, these servers are exposed online without any protection, when their administrators followed configuration rules that were not correct. Because the default configuration of all MongoDB databases is now provided with default settings that are secure. And yet there are still tens of thousands of servers that lack the most basic security possible and continues to be an easily accessible on the internet without any logical application can clear this up.

Now access an unlimited number of passwords:

Check out our hacking software