Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers. As many as 46,000 servers are vulnerable to this attack.
A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB. He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems. Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were attacked. Most of the attacks happened on the AWS platform, although other cloud computing platforms were affected as well.
It seems that older versions of MongoDB were installed with open ports accessible to the Internet without a set administrator password. The attacker took over these systems, then copied and exported the data in the databases. Then he deleted the data, and replaced it with a ransom demand. This exploit did not need a phishing approach or a malware installation. The attack just exploited poorly configured systems.
He probably used automated scanning tools to find systems running MongoDB, which may account for so many of the systems being on AWS. The automated tool would run more quickly on a defined subnet.
Why did this happen? AWS is a popular platform with DIY crowd, and many of they people may be experienced technicians in some aspect of their project, but they are not getting into the manual where there are instructions on how to set up an administrative account with a proper password.
If you are running a MongoDB server, and have not been hacked yet, it probably means you set up a proper administrative account, and have your system secured in other ways as well. But it is worth a look to check and be sure. And if you are not doing some sort of backup of your system and database, that is the next item on your to do list. And read the manual for crying out loud!