- Over 200,000 MongoDB servers misconfigured, 3,000 exposed without passwords
- Hackers wiped databases, left ransom notes demanding bitcoin payments
- Many servers run outdated versions, vulnerable to DoS and persistent access
If you’re running a MongoDB instance, you might want to double-check your configuration, as experts have flagged hackers are looking to extort you for money.
Security researchers Flare have reported finding more than 200,000 misconfigured MongoDB servers whose data is available to anyone who knows where to look. Roughly half of those are exposing operational information, and approximately 3,000 can be accessed without a password.
Of those that can be easily accessed, at least half were already broken into, since their contents were wiped. An unnamed threat actor left a ransom note, demanding $0.005 in bitcoin ($387 at press time). It is possible that among the other half many were compromised as well but decided to pay the ransom and restored their data.
How to stay safe
The threat actor reprotedly has five BTC addresses that they’re using to receive the funds, with one of the five being most active.
We don’t know how many transactions the wallet has, or how many people paid the ransom demand - or if the attackers are keeping the wiped databases or if they’re simply demanding the payment for nothing.
Flare also said that the potential victims count a lot more than 3,000 servers. Apparently, around half (95,000) of all inspected instances were running older versions of MongoDB, which are vulnerable to various known and unknown flaws that can also be exploited for persistent access.
Most of the n-day flaws plaguing these older versions, however, can be used for denial-of-service (DoS), not data exfiltration or remote code execution. As a general rule of thumb, admins should make sure their MongoDB instances are not exposed to the internet. If they must be, then admins should at least make sure the passwords are strong, firewall rules and Kubernetes network policies strict, and configurations not copied from deployment guides.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
