- Over 200,000 MongoDB servers misconfigured, 3,000 exposed without passwords
- Hackers wiped databases and left ransom notes demanding payments in bitcoins
- Many servers are running outdated versions, vulnerable to DoS and persistent access
If you are running a MongoDB instance, you may want to double-check your configuration, as experts have noted that hackers are looking to extort money from you.
Flare security researchers reported finding more than 200,000 misconfigured MongoDB servers whose data is available to anyone who knows where to look. About half of them expose operational information and about 3,000 can be accessed without a password.
Of those that can be easily accessed, at least half have already been raided, as their content has been deleted. An anonymous threat actor left a ransom note, demanding $0.005 in bitcoin ($387 at press time). It is possible that among the other half, many were also compromised but decided to pay the ransom and restore their data.
How to stay safe
The threat actor is alleged to have five BTC addresses that they are using to receive the funds, with one of the five being the most active.
We don’t know how many transactions the wallet has, or how many people paid the ransom demand, or if the attackers keep the deleted databases or if they simply demand payment for nothing.
Flare also said that potential victims have well over 3,000 servers. Apparently, around half (95,000) of all inspected instances were running older versions of MongoDB, which are vulnerable to several known and unknown flaws that can also be exploited for persistent access.
However, most of the n-day flaws affecting these older versions can be used for denial of service (DoS), not data exfiltration or remote code execution. As a general rule, administrators should ensure that their MongoDB instances are not exposed to the Internet. If necessary, administrators should at least ensure that passwords are strong, firewall rules and Kubernetes network policies are strict, and configurations are not copied from deployment guides.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
