Hackers are once again finding unsecured MongoDB databases left exposed on the internet, wiping their contents, & then leaving a ransom note asking for a cryptocurrency payment for the data’s safe return.
ZDNet reports, that ransom notes have been left on almost 23,000 MongoDB databases that were unprotected on the public internet, without a password.
Unsecured MongoDB databases being attacked by hackers is hardly new. In recent years security breaches involving exposed MongoDB installations have happened many times, affecting Verizon, OCR software firm ABBYY, dating websites, & others.
What makes this attack different is that the hacker threatens to ‘contact regulatory authorities if the victim does not pay up, to report them for a GDPR violation.
From an example shared by ZDNet, the ransom note asked for 0.015 Bitcoins (current prices about US $140) or data would be released, & the authorities informed.
Part of the ransom note, which is in broken English, is as follows:
“All of your data is a backed up. You must pay 0.015 BTC to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked & exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR & notify them that you store user data in an open form & is not safe. Under the rules of the law, you face a heavy fine or arrest & your base dump will be dropped from our server.”
If a MongoDB database is wiped by a hacker & replaced with a ransom note, there are important points.
Will paying-up the ransom mean that you get your data back?
Almost certainly – no. The hacker may well have accessed 22,900 databases that were not properly secured online, but that is very different from actually having successfully exfiltrated what must be a large amount of data from so many servers.
There is no reason to believe that even if the data was copied by the hacker before it was wiped, that they will feel ‘duty-bound’ to return your data to you safely!
Will you be reported for a GDPR violation?
It remains difficult to believe that a criminal hacker would make a GDPR complaint against victims, but, someone else might.
Those running a MongoDB database needs to ensure that they have set it up securely, & not left it open for havoc.
The tools are in place, the information about how to use the tools is available, all that is needed is for system administrators to know that they need to fix their database security as a matter of upmost priority, or potentially be the next damaging hack.