Multiple Attackers Hijacking MongoDB Databases for Ransom

The recently reported hijacking of MongoDB databases to hold their content for ransom is picking up pace as more hackers are trying to monetize the attack method, security researchers say.
Late last year, researcher Victor Gevers discovered a hijacked database that had its content stolen and replaced with one that informed owners they should pay a ransom to regain access to the content. While thought at first to be an isolated incident, the attack proved to be widespread, with thousands of databases hit within two weeks or so.
The number of hijacked MongoDB databases appears to have been growing fast over the past couple of days, and has surpassed 10,000 as of this morning, Niall Merrigan reveals. The worrying part is that there are now three hackers or groups of hackers targeting those databases.
What this attack consists of is simple: the hijackers search for MongoDB databases exposed to the Internet, access them, then steal their content and replace the database with one called WARNING. In many cases, owners are instructed to pay a 0.2 Bitcoin ransom to regain access to their content.

一般黑客会在IRC或专业的地下论坛中进行技术和赃物的交换,现在公然在安全论坛上发贴了。打击网络黑势力,任重道远啊。
A quick look at information related to the Bitcoin address victims are told to make the payment to reveals that at least 17 companies already paid the ransom (although the number of received payments is larger). At least 8,600 insecure databases are believed to have been already compromised by the hacker.
Most recently, the attackers changed the email address included in the ransom note, as well as the Bitcoin address used in their attacks. Security researchers managed to track at least four such addresses associated with this group of hackers.
According to MacKeeper, one of the hijacked databases belonged to Emory Healthcare, and over 200,000 data records might have been compromised in the process. MacKeeper says it discovered the misconfigured database on Dec. 30, 2016, and found it hijacked on Jan. 3, 2017, when the team went back to review the data.
Over the past few days, however, more hackers joined the operation. One of the groups is replacing the targeted databases with one called WARNING_ALERT, while another is replacing them with one called PWNED (with a variation that provides victims with only 72 hours to pay the ransom). The former is demanding a 0.5 Bitcoin ransom and already hit over 930 databases, while the latter demand 0.15 Bitcoin and compromised over 750 databases.
This morning, the researchers noticed a fourth group hijacking the databases, this time asking for a larger ransom: 1 Bitcoin. The group is replacing the databases with one called PLEASE_READ, and it is believed to have hit at least 13 of them so far.
According to Victor Gevers, companies should not pay the ransom, as this won’t guarantee the safe recovery of their data. In fact, he advises against paying, saying that some of the databases are being deleted, and that the crooks behind the attack can’t return the data even if the victim pays up.
“From numerous sources (log files) and reports by owners we can say that most of the attackers do not copy the data but make 3 times a connection with a duration between 5ms and 500ms which is enough to: 1. create new database; 2. write the note; 3. drop a database in this specific order. In a few cases where the owner could check outbound traffic between these times, there is no evidence of any data exfil. This means we can confirm that this actor does not have any data, so paying ransom is a bad idea,” Gevers told SecurityWeek.
What’s more, Gevers warns, is that some of the databases are overwritten multiple times, most likely because attackers are overlapping in their attacks and the same databases are being hit more than once.
With tens of thousands of insecure MongoDB databases exposed to the Internet, it appears to be only a matter of time before the attack escalates further. For the time being, the hackers appear focused on compromising only those databases that might bring them a profit, but Gevers says that more and more victims are contacting him for help.
In a blog post on Friday, MongoDB’s Andreas Nilsson shared details on security best practices and steps that can be taken to secure MongoDB instances against attacks. 
适用于所有行业的HSE在线培训课件
“We take security very seriously, and urge users to take adequate steps to secure their data,” Ian Bruce, VP Corporate Marketing and Communications at MondoDB, told SecurityWeek.
Related: MongoDB Databases Actively Hijacked for Extortion
以黑制黑的手段很高超,通过整合多个黑客选手们的智慧,让他们集体承担我们面临的一些最棘手的问题,会使得计算机生态体系更加安全。

猜您喜欢

电子标签、非接触式智能卡、读写设备与整体解决方案
安全基础理论课程助力培养全民网络安全意识
网络安全宣传动画——个人信息安全保护
盘点十大功成身退的电竞选手SKY竟然不是第一?
MUSCULATION MIMIANDMEGBLOG
保密意识教育