MongoDB Logo

UPDATE: Fears that attacks would escalate have been confirmed today, January 9, as security researchers revealed that the number of hijacked MongoDB databases has gone from ~10,000 to ~28,000. Our original article on this topic is available below.

What started as isolated incidents on Monday has transformed into an all out destruction of thousands of MongoDB servers by the end of the week.

According to recent statistics compiled by Niall Merrigan and Victor Gerves, two security researchers that have kept a close eye on the attacks, hackers have now hit around 10,500 MongoDB servers. That's about 25% of all MongoDB databases accessible via the Internet.

The attacks don't target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account.

Starting with December 20, a hacker has been accessing some of these open databases, exporting their content, and replacing it with a ransom note.

The attacks intensified over last weekend, and since Monday, multiple groups have joined the initial hacker. Two days ago there were only three groups, now there are eight.

Many companies permanently lost their data

The situation is desperate for MongoDB owners and it doesn't show any sign of stopping. Even worse, groups are re-hacking the same servers and rewriting each other ransom notes, making it impossible to know which group downloaded the victim's data and to whom should victims pay the ransom.

All groups ask for small ransom fees, ranging from $150 to $500, which encourages victims to pay. Companies that wanted to pay the ransom, sometimes found that the group to whom they paid the ransom was not the one who stole their data, and they were forced to pay a second or third ransom to another group.

According to Gevers and Merrigan, some of these groups don't even bother exporting the databases and making a copy of the original data, meaning some unlucky companies permanently lost their data.

Gevers, who's been providing hacked companies with his services, says that in 84 cases he was unable to find "any trace of data exfiltration."

The MongoDB apocalypse

"Right now it's bedlem," Merrigan told Bleeping Computer yesterday, "attackers are deleting each others' ransoms as quick as they pop up."

"It's a very interesting case, and it's like watching a gold rush at this point," he added.

More hacking groups desperate for money are expected to join the MongoDB "gold rush" in the following days, which may also drive up the number of affected victims.

In a couple of weeks, it is reasonable to expect that all MongoDB servers exposed to the Internet will lose their data and have their content replaced with a ransom demand.

In many ways, we may be witnessing the last days of Internet-available MongoDB servers.

It is very hard to believe that after this highly-mediatized rash of ransom attacks any database administrator won't double-check to see if his MongoDB server is available online and if the admin account doesn't use a strong password.

Doing so would surely result in losing access to his database and possibly his data in a matter of hours.

At this point in time, and especially following last week's attacks, running an open MongoDB server should equate in developers losing jobs and affected customers filing lawsuits for gross negligence.

Attacks are automated through scripts, not individual hacks

But MongoDB servers have been hacked before this recent waves of attacks. Previous hacks of Internet-available MongoDB servers involved bad actors gaining access to these systems and stealing their data on a per-database attack

In most cases, the hacker would steal a company's data and sell it on underground hacking forums, or the hackers would contact the hacked company, and require a similar ransom to stay quiet about their intrusion.

Unlike the previous hacks, which were very quiet and easy to ignore and bury, this new wave of attacks is automated and very noisy, already being covered by big media outlets such as the BBC.

Joining the Dark Side with one of the hackers hijacking MongoDB servers

The fact that these attacks are all automated was confirmed to Bleeping Computer by one of the attackers, known as 0704341626asdf, the third group that got involved in the attacks, after the initial Harak1r1 and 0wn3d groups.

First and foremost, 0704341626asdf revealed that his alias is C8_H10_N4_O2, which is the chemical formula for caffeine.

"The scripts are extremely simple," C8_H10_N4_O2 said, "anyone can write them."

Asked about the amount of work he puts into watching over the attacks, C8_H10_N4_O2 said the entire operation "requires little oversight."

"I'm not even doing this mostly for money," the hacker said, taking the same moral high ground that all hackers take in every media interview. "More to make data more secure, like YTCracker said 'hack every sysadmin that act retarded'."

"You know I'm not lying because I am one of the few 'skids' that actually downloads the data," the hacker also added, making a claim we couldn't verify. "I'm not going to ruin a business or webapp for no reason, they just have to learn a lesson."

C8_H10_N4_O2: No freebies!

Nevertheless, C8_H10_N4_O2 isn't in the mood of giving companies a free pass. "If someone couldn't pay then I probably wouldn't want
to give them their data back, the only reason being others that can pay might be influenced to copy them and just say they can't pay," the hacker said. "I doubt anyone running a server will not be able to pay $150 though."

Regarding the data he downloads, the hacker had the following to say: "I do not view peoples info [sic]. I look at it maybe once to make sure my new scripts are working and that's it. I am not interested in stealing peoples data [sic] or selling emails or any of that."

In the meantime, Andreas Nilsson, Director of Product Security at MongoDB Inc., has published an updated guide on how to secure MongoDB servers, a must read for all database administrators.