{"id":4395,"date":"2017-01-12T02:25:34","date_gmt":"2017-01-11T18:25:34","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4395"},"modified":"2017-01-12T02:25:55","modified_gmt":"2017-01-11T18:25:55","slug":"mongodb-ransack-33000-databases-hacked","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/01\/mongodb-ransack-33000-databases-hacked\/","title":{"rendered":"MongoDB Ransack &#8211; Over 33,000 Databases Hacked"},"content":{"rendered":"<p>Ah our favourite database in the news again, being hailed as the MongoDB Ransack a whole bunch of people have turned the insecure MongoDB default configuration into a ransom opportunity. They are deleting\/stealing databases and soliciting bitcoin payments to return the data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/MongoDB-Ransack-Over-33000-Databases-Hacked-640x329.png\" alt=\"MongoDB Ransack - Over 33,000 Databases Hacked\" width=\"640\" height=\"329\" class=\"aligncenter size-medium wp-image-4396\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/MongoDB-Ransack-Over-33000-Databases-Hacked-640x329.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/MongoDB-Ransack-Over-33000-Databases-Hacked.png 646w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>With multiple actors doing the same stuff though it&#8217;s hard to know who is legit, and it seems some are just deleting the databases and asking for payment without even having the data.<\/p>\n<blockquote><p>MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day.<\/p>\n<p>Criminals are accessing, copying and deleting data from unpatched or badly-configured databases.<\/p>\n<p>Administrators are being charged ransoms to have data returned. Initial attacks saw ransoms of 0.2 bitcoins (US$184) to attacker harak1r1, of which 22 victims appeared to have paid, up from 16 on Wednesday when the attacks were first reported.<\/p>\n<p>However, some payments could be benign transfers designed to make it appear victims are paying.<\/p>\n<p>Norway-based security researcher and Microsoft developer Niall Merrigan says the attacks have soared from 12,000 earlier today to 27,633, over the course of about 12 hours.<\/p>\n<p>Merrigan and his associates have now logged some 15 distinct attackers. One actor using the email handle kraken0 has compromised 15,482 MongoDB instances, demanding 1 bitcoin (US$921) to have files returned. No one appears to have paid. Merrigan says he is investigating &#8220;OSINT and finding different IOCs as well the actors involved&#8221;.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>It&#8217;s not the first time we&#8217;ve talked about this too, back when <a href=\"https:\/\/www.darknet.org.uk\/2016\/04\/beautifulpeople-com-leaks-extremely-private-data-1-1m-people\/\">BeautifulPeople.com was hacked<\/a> it was due to MongoDB and it&#8217;s great defaults (listening on all interfaces, including public Internet-facing IP addresses) and not forcing any kind of authentication by default.<\/p>\n<p>Yah you can say it&#8217;s the users&#8217; problem, the features are there &#8211; but how hard is it to have secure defaults? Newer versions have fixed this, from what I know &#8211; but still, the mess caused by their dubious decisions is pretty widespread.<\/p>\n<blockquote><p>All told, a whopping 99,000 MongoDB installations are exposed, Gevers says.<\/p>\n<p>MongoDB security is a known problem: up until recently, the software&#8217;s default configuration is insecure. Shodan founder John Matherly warned in 2015 that some 30,000 exposed MongoDB instances were open to the internet without access controls.<\/p>\n<p>In the Antipodes, the Australian Communications and Media Authority has been reporting exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit.<\/p>\n<p>Bruce Matthews, manager of the agency&#8217;s cyber security and unsolicited communications enforcement section, told Vulture South it has insight into IP ranges covering 90 percent of Australia.<\/p>\n<p>He says the number of exposed MongoDB databases in Australia appears to remain steady.<\/p>\n<p>&#8220;We report open and vulnerable services to AISI who can pass on the information to the operator of the service,&#8221; Matthews says. &#8220;It is important that the information is passed on.&#8221;<\/p><\/blockquote>\n<p>It&#8217;s not terribly hard to fix either, assuming it installed on the same server as the web host (if not why else would a DB have a Public IP?), just bind it to localhost and enable authentication for all databases.<\/p>\n<p>The problem now is all these &#8216;agile&#8217; tools, DevOps deploying gists on Github and automated server creation means developers with no clue about security are rolling up database servers and just using them. I blame the MEAN stack.<\/p>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2017\/01\/09\/mongodb\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ah our favourite database in the news again, being hailed as the MongoDB Ransack a whole bunch of people have turned the insecure MongoDB default configuration into a ransom opportunity. They are deleting\/stealing databases and soliciting bitcoin payments to return the data. With multiple actors doing the same stuff though it&#8217;s hard to know who [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Being hailed as the MongoDB Ransack a whole bunch of people have turned the insecure MongoDB default configuration into a ransom opportunity.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2,17],"tags":[8855,9448,9449,629],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4395"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4395"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4395\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}