Jan 052017

If you are following what’s happening with hackers attacking misconfigured MongoDB databases, wiping the data, and then demanding ransom for its return, then you’ll know that although this problem seemed to start on or around December 21 with an actor known as “Harak1r1,” within days of it garnering media attention, we saw almost identical warning messages from another actor “0wn3d” with a different bitcoin wallet.

By this morning there was a third actor, “0704341626asdf,” with yet a third bitcoin wallet, as Victor Gevers tweeted:

This third actor, who Victor reports had struck 221 databases by early this morning, took the opportunity to educate and insult victims:

Your database has been pwned because it was publicly accessible at port 27017 with no authentication (wtf were you thinking?)

The full warning, more verbose than the other two warnings, and written in upper and lowercase with proper grammar and most accurate spelling, gives victims 72 hours to email the attacker(s) that the ransom has been sent to the bitcoin wallet. The ransom amount is .15BTC

So are the second and third actors copycats or just different aliases of one attacker or group? And if they are copycats, as they seem to be, how many more will we see?  The problem seems to be rapidly escalating.

Of note, since these MongoDB installations are often backup or test environments, how many victims will not even notice that they’ve been attacked before the 72-hour window expires?

As of the time of this posting, there have been 18 payments to the first bitcoin wallet, but none (yet) to the second and third bitcoin wallets.

Expect to see a lot more on this type of attack as word spreads.

Update: Even more worryingly, Gevers now reports that in some variants, databases are just being dropped without extraction.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>