Cyber attackers have targeted open source MongoDB. The attack has exposed over 10,000 database instances.
First reported by GDI Foundation security researcher Victor Gevers in December last year, the security threat allows attackers to take control of MongoDB database and hold the companies for ransom. The attackers can only be identified by the email address that they use to demand payments.
According to a report published by security researcher Chris Vickery back in December 2015, over 35,000 databases are publicly available through the latest vulnerability. It is estimated that up to 99,000 databases are at risk. Database admins need to follow security checklist and enable strict access controls.
The most recent identified group is Nial Merrigan that sends emails through firstname.lastname@example.org. The group has comprised 17 MongoDB instances. Moreover, hackers are demanding 0.25 Bitcoin to get the data back.
Simple to gain backdoor access
Taking control of the MongoDB is considered to be fairly simple if it is misconfigured. Attackers log into the database using security loophole and steal or encrypt the database. They leverage open ports and find misconfigured databases using Shodan search tool.
Only upon receiving ransom payments, the attackers provide access to the affected databases. The amount being demanded by the latest hacker group starts from 0.15 Bitcoin which is $892.
Experts believe that ease of gaining access to MongoDB installations is the prime reason behind the ransomware attack. The databases are available for alterations over the Web and let attackers gain full administrator rights for not just reading but also creating, updating and even deleting previous records.