MongoDB instances are being hit in data extortion attacks, so make sure you're protected

News
By published

Hackers are hunting for vulnerable MongoDB servers

Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website
(Image credit: sarayut Thaneerat/ via Getty Images)
  • Over 200,000 MongoDB servers misconfigured, 3,000 exposed without passwords
  • Hackers wiped databases, left ransom notes demanding bitcoin payments
  • Many servers run outdated versions, vulnerable to DoS and persistent access

If you’re running a MongoDB instance, you might want to double-check your configuration, as experts have flagged hackers are looking to extort you for money.

Security researchers Flare have reported finding more than 200,000 misconfigured MongoDB servers whose data is available to anyone who knows where to look. Roughly half of those are exposing operational information, and approximately 3,000 can be accessed without a password.

Of those that can be easily accessed, at least half were already broken into, since their contents were wiped. An unnamed threat actor left a ransom note, demanding $0.005 in bitcoin ($387 at press time). It is possible that among the other half many were compromised as well but decided to pay the ransom and restored their data.

How to stay safe

The threat actor reprotedly has five BTC addresses that they’re using to receive the funds, with one of the five being most active.

We don’t know how many transactions the wallet has, or how many people paid the ransom demand - or if the attackers are keeping the wiped databases or if they’re simply demanding the payment for nothing.

Flare also said that the potential victims count a lot more than 3,000 servers. Apparently, around half (95,000) of all inspected instances were running older versions of MongoDB, which are vulnerable to various known and unknown flaws that can also be exploited for persistent access.

Most of the n-day flaws plaguing these older versions, however, can be used for denial-of-service (DoS), not data exfiltration or remote code execution. As a general rule of thumb, admins should make sure their MongoDB instances are not exposed to the internet. If they must be, then admins should at least make sure the passwords are strong, firewall rules and Kubernetes network policies strict, and configurations not copied from deployment guides.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.