A hacker has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password, a number that accounts for roughly 47% of all MongoDB databases accessible online. They have an automated script to scan for misconfigured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a 0.015 bitcoin (~$140) payment.
The attacker is giving companies two days to pay, and threatens to leak their data and then contact the victim's local General Data Protection Regulation (GDPR) enforcement authority to report their data leak. Attacks planting this ransom note (READ_ME_TO_RECOVER_YOUR_DATA) have been seen as early as April 2020.
Victor Gevers, a security researcher with the GDI Foundation, has said initial attacks didn't include the data wiping step. The attacker kept connecting to the same database, leaving the ransom note, and then returning again to leave another copy of the same ransom note, a few days later.
According to Gevers the attacker appears to have realized they made a mistake in their script. Since yesterday, the hacker has corrected their script and is now actually wiping MongoDB databases clean. Gevers told, "It's all gone, everything.”
While some of these databases appear to be test instances, Gevers said that some production systems were also hit and have now had staging data deleted. Gevers, who reports exposed servers to companies as part of his duties in the GDI Foundation, said he noted the wiped systems earlier when checking on MongoDB systems he was scheduled to report and get secured.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
