An unknown hacker took control of over 22,900 unsecured MongoDB databases that were left online without password protection, a number that accounts for roughly47% of all MongoDB databases available online, according to the Sophos report.
The hacker uploaded a ransom note demanding a 0.015 bitcoin (approximately $140) payment and also threatened to leak the data and then report to GDPR authorities.
“All your data is backed up. You must pay 0.015 BTC within 48 hours to recover it. After 48 hours, we will leak and expose all your data. If you refuse to pay, we will contact the General Data Protection Regulation authority and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server,” the hacker’s ransom note read.
Sophos learned that the hacker used an automated script to scan for misconfigured MongoDB databases online. The hacker accessed the same databases and dropped the same ransom note multiple times.
Focus on Unsecured Databases
Every minute is an opportunity for threat actors when they find an unsecure server left online. A recent security experiment by Comparitech led by cybersecurity researcher Bob Diachenko discovered that cybercriminals attacked a model of an unsecured database 18 times in a single day. In a security alert, Comparitech explained how unauthorized third parties find, gain access, and alter exposed data without any authentication process, leaving users’ privacy at risk. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it.
Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server was deployed, and the number of attacks in one day totaled to 22. All attackers were not looking to steal data. Some targeted unsecure servers to mine cryptocurrency, steal passwords, and destroy data, Comparitech stated.