Hackers exploit unsecured MongoDB instances to wipe data and demand ransom

Over 1,400 exposed MongoDB servers have been hijacked and wiped by hackers, who left ransom notes after exploiting weak or missing access controls.

Cybersecurity firm Flare reports that unsecured MongoDB databases remain easy targets, with 1,416 of 3,100 exposed servers compromised. Hackers wiped data and left ransom notes, usually demanding $500 in Bitcoin, often using the same wallet. While over 200,000 MongoDB servers are publicly visible, the biggest risk comes from those left online without proper access controls.

“Our analysis revealed more than 200,000 servers running MongoDB that were publicly discoverable. Of these, slightly over 100,000 instances disclosed operational information, and 3,100 were fully exposed to the internet without access restrictions.” reads the report published by Flare. “Among the 3,100 fully exposed servers, 1,416 instances (45.6%) had already been compromised, with their databases wiped and replaced with a ransom note. In nearly all cases, the ransom demand was approximately $500 USD in Bitcoin.”

The researcher noted that in nearly all cases, the same Bitcoin address appears in ransom notes, pointing to a single attacker. Flare says some unaffected servers may have paid, putting possible earnings between $0 and $842,000.

“Notably, only five distinct Bitcoin wallets were observed across all incidents, with the wallet bc1qe2l4ffmsqfdu43d7n76hp2ksmhclt5g9krx3du appearing in over 98% of cases. This strongly suggests the activity is attributable to a single dominant actor, likely the same attacker documented in our previous dark web research.” states the report.

The researchers observed that over 95,000 servers had at least one vulnerability, however, most flaws only enable denial-of-service. The real risk comes from misconfiguration, with thousands of databases left online without proper access controls.

“While there are currently no known pre-authentication remote code execution (RCE) vulnerabilities in MongoDB, and our findings indicate that MongoDB is not being widely exploited at the vulnerability level, the risk remains significant. A single pre-auth RCE zero-day in MongoDB could instantly expose hundreds of thousands of servers and effectively hand attackers a well-oiled ransom machine capable of operating at massive scale.” concludes the report. “For this reason, we strongly recommend applying the prevention and hardening best practices outlined above, as misconfiguration—not exploitation—continues to be the critical enabling factor.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransom)