Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Database Hijackings: Who's Next?
Hackers Reportedly Holding Databases for RansomHackers have apparently hijacked potentially thousands of vulnerable MongoDB databases and demanded ransoms for the return of critical data, with some victims paying up, according to security researchers.
See Also: Introduction to Elastic Security: Modernizing security operations
Security experts are warning organizations to take immediate risk mitigation steps, including hardening and updating databases and ensuring disaster recovery plans reflect the emerging threat.
Researcher Victor Gevers, co-founder of the not-for-profit GDI Foundation, says he discovered in December that a hacker dubbed Harak1r1 was compromising misconfigured MongoDB servers left open to external connections and attempting to extort ransoms for stolen data after erasing the databases.
In a Jan. 5 tweet, Gevers writes that the GDI Foundation in December "warned 60 companies" about the "open MongoDB" that GDI had identified and by Jan. 2, "47 were hit by harak1r1."
Gevers determined that the Harak1r1 attacker is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a Bitcoin ransom to return the data, Bleeping Computer reports.
More than 1,800 Mongo databases have been taken over so far, according to statistics collected by Shodan, a search engine that indexes Internet-connected devices, and at least 11 victims paid the ransom, according to Blockchain.info, Bleeping Computer reports.
"After accessing these [Mongo] databases, the attacker steals their content and denies access to it by replacing the databases with one called 'WARNING,' containing one table with one record, both called 'WARNING' too," Gevers told SecurityWeek.
Victims are instructed to send 0.2 bitcoins, worth about $194, to a specific Bitcoins address to recover their data, SecurityWeek reports.
In Dec 2016 @GDI_FDN warned a 60 companies for an open MongoDB
— Victor Gevers (@0xDUDE) January 5, 2017
47 were hit by harak1r1 on 1/2. On 1/5 0wn3d overwrites note on 33 of them.
Meanwhile, the blog Databreaches.net reported on Jan. 5 that Gevers says there could be at least two additional bad actors besides Harak1r1 demanding ransoms for attacks on Mongo databases.
Gevers did not respond to my inquiries about the issue.
A spokesman for MongoDB Inc., which offers the open source database, offered this response: "The vulnerable instances of MongoDB are unsecured and left open on the internet. We strongly encourage all users to take adequate measures to secure their data, and to use the latest version of our product that provides the most up-to-date security features." The spokesman advises users to visit the company's blog post about MongoDB security features.
One Apparent Victim: Emory Healthcare
MacKeeper Security Research Center claims that among the apparent victims is Emory Healthcare in Atlanta.
In a Jan. 4 blog posting, MacKeeper claims that on Dec. 30, its security researchers discovered a misconfigured Mongo database that "contained hundreds of thousands of what appeared to be patient records and other sensitive information" belonging to Emory Healthcare in Atlanta. "The IP was hosted on Google Cloud and results for domain names hosted on that address (Reverse IP) identified Emory Brain Health Center," MacKeeper writes.
"On Jan 3, 2017 when the research team went back to review the data it was identified that the database had been a victim of the Harak1r1 the 0.2 Bitcoin Ransomware. This non-traditional ransom method actually takes and removes the victims' data and holds it until the ransom is paid. The data is wiped out completely from the database and is not simply encrypted like most common types of ransomware attacks."
MacKeeper claims that about 200,000 Emory Healthcare records appear to be impacted. But the healthcare provider has not verified any details.
In a statement provided to Information Security Media, an Emory spokesperson says: "We are in the process of gathering information, but we don't have anything else at this time" to share about the alleged incident.
How to Mitigate Related Risks
Security experts tell me that organizations can take several steps to avoid becoming the next MongoDB hacker victim - or a victim of similar attacks on other vulnerable data.
"Organizations should always maintain routine backups of their databases and also have a documented recovery process in place in case something like this were to happen," says Brian Bartholomew, senior security researcher at Kaspersky Lab.
"Keeping database software up to date and following standard practice regarding accounts and access should help shrink the exposure and risk to ransomware like this," he adds. "Organizations should also be educating employees and IT teams about ransomware and the dangers of this threat."
As for misconfigured databases leaving entities vulnerable, "essentially this is a hardening issue," says Mac McMillan, CEO of the security consulting firm CynergisTek. "Organizations need to work with the vendor ... to harden or secure the database and the operating system and ensure that it is maintained in terms of patches, configuration and access actively.
"For the attacker to do this they had to gain some level of privileged access that allowed them to exfiltrate the data, which means this database or the OS were not secured very well."
To avoid becoming a victim of hijacking attacks, Dan Berger, CEO of the security consulting firm Redspin, advises organizations using MongoDB to "block access to certain ports and check to see if any secret admin users have been added to MongoDB accounts, or if any suspicious files have been recently saved, or if there are any unauthorized access attempts in the log files."