MongoDB Ransomware Hack – What Did We Learn?

Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers.  As many as 46,000 servers are vulnerable to this attack.

A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB.  He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems.  Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were attacked.  Most of the attacks happened on the AWS platform, although other cloud computing platforms were affected as well.

It seems that older versions of MongoDB were installed with open ports accessible to the Internet without a set administrator password.  The attacker took over these systems, then copied and exported the data in the databases.  Then he deleted the data, and replaced it with a ransom demand. This exploit did not need a phishing approach or a malware installation.  The attack just exploited poorly configured systems.

He probably used automated scanning tools to find systems running MongoDB, which may account for so many of the systems being on AWS.  The automated tool would run more quickly on a defined subnet.

Why did this happen?  AWS is a popular platform with DIY crowd, and many of they people may be experienced technicians in some aspect of their project, but they are not getting into the manual where there are instructions on how to set up an administrative account with a proper password.

If you are running a MongoDB server, and have not been hacked yet, it probably means you set up a proper administrative account, and have your system secured in other ways as well.  But it is worth a look to check and be sure.  And if you are not doing some sort of backup of your system and database, that is the next item on your to do list.  And read the manual for crying out loud!

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.