- Over 200,000 MongoDB servers misconfigured, 3,000 exposed without passwords
- Hackers deleted databases, left ransom notes and demanded bitcoin payments
- Many servers run outdated versions, vulnerable to DoS and persistent access
If you’re running a MongoDB instance, you might want to double-check your configuration, as experts have flagged that hackers are looking to extort money from you.
Security researchers Flare have reported finding more than 200,000 misconfigured MongoDB servers whose data is available to anyone who knows where to look. About half of them reveal operational information, and approximately 3,000 can be accessed without a password.
Of those that can be easily accessed, at least half were already broken into when their contents were wiped. An unnamed threat actor left a ransom note demanding $0.005 in bitcoin ($387 at press time). It is possible that many among the other half were also compromised but decided to pay the ransom and recovered their data.
How to stay safe
The threat actor has disproved five BTC addresses that they use to receive the funds, with one of the five being the most active.
We don’t know how many transactions the wallet has, or how many people have paid the ransom demand – or if the attackers keep the deleted databases, or if they simply demand the payment for nothing.
Flare also said that the potential victims number much more than 3,000 servers. Apparently, about half (95,000) of all inspected instances were running older versions of MongoDB, which are vulnerable to various known and unknown bugs that can also be exploited for persistent access.
However, most of the n-day bugs that plague these older versions can be used for denial-of-service (DoS), not data exfiltration or remote code execution. As a general rule of thumb, administrators should ensure that their MongoDB instances are not exposed to the Internet. If they are to be, administrators should at least ensure that passwords are strong, firewall rules and Kubernetes network policies are strict, and configurations are not copied from deployment guides.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
