MongoDB Ransomware Hack – What Did We Learn?

Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers.  As many as 46,000 servers are vulnerable to this attack.

A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB.  He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems.  Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were attacked.  Most of the attacks happened on the AWS platform, although other cloud computing platforms were affected as well.

It seems that older versions of MongoDB were installed with open ports accessible to the Internet without a set administrator password.  The attacker took over these systems, then copied and exported the data in the databases.  Then he deleted the data, and replaced it with a ransom demand. This exploit did not need a phishing approach or a malware installation.  The attack just exploited poorly configured systems.

He probably used automated scanning tools to find systems running MongoDB, which may account for so many of the systems being on AWS.  The automated tool would run more quickly on a defined subnet.

Why did this happen?  AWS is a popular platform with DIY crowd, and many of they people may be experienced technicians in some aspect of their project, but they are not getting into the manual where there are instructions on how to set up an administrative account with a proper password.

If you are running a MongoDB server, and have not been hacked yet, it probably means you set up a proper administrative account, and have your system secured in other ways as well.  But it is worth a look to check and be sure.  And if you are not doing some sort of backup of your system and database, that is the next item on your to do list.  And read the manual for crying out loud!

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.