Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
Researchers have discovered that exposed MongoDB instances are still being targeted by threat actors in automated data extortion attacks, demanding low ransoms from owners to restore the data. The attackers focus on insecure databases that permit access without restriction, compromising around 1,400 servers so far. To protect yourself and your organization, it's crucial to follow best practices for securing MongoDB instances.
The world of data security is constantly evolving, with new threats and vulnerabilities emerging on a daily basis. In recent times, the threat actor community has been busy exploiting weaknesses in various databases, including MongoDB. This article delves into the specifics of a recent attack on exposed MongoDB instances, highlighting the tactics used by attackers to extort ransoms from unsuspecting victims.
According to researchers at cybersecurity firm Flare, over 208,500 publicly exposed MongoDB servers were discovered, with around 100,000 exposing operational information and approximately 3,100 accessible without authentication. Of these exposed instances, nearly half (45.6%) had already been compromised when Flare examined them, with the database being wiped clean of data and a ransom note left behind.
The analysis of the ransom notes revealed that most demanded payment in Bitcoin (often around 0.005 BTC, equivalent to $500-600 USD) to a specified wallet address, promising to restore the data. However, there is no guarantee that attackers have the data or will provide a working decryption key if paid.
Furthermore, researchers found that only five distinct wallet addresses were used across the dropped ransom notes, with one of them prevalent in about 98% of the cases, indicating a single threat actor focusing on these attacks. Flare suggests that MongoDB administrators avoid exposing instances to the public unless it's absolutely necessary, use strong authentication, enforce firewall rules and Kubernetes network policies that allow only trusted connections, and avoid copying configurations from deployment guides.
Additionally, nearly half (95,000) of all internet-exposed MongoDB servers run older versions that are vulnerable to n-day flaws. However, the potential of most of those was limited to denial-of-service attacks, not offering remote code execution. Flare recommends that MongoDB should be updated to the latest version and continuously monitored for exposure. In the case of exposure, credentials need to be rotated and logs examined for unauthorized activity.
It's worth noting that this is not an isolated incident, as a flurry of similar attacks had occurred until 2021, deleting thousands of databases and demanding ransom to restore the information. Sometimes, the attacker just deletes the databases without a financial demand.
The future of IT infrastructure is constantly evolving, with modern systems moving faster than manual workflows can handle. To stay ahead of emerging threats, it's essential for organizations to adopt proactive security measures, such as implementing robust authentication protocols, keeping software up-to-date, and regularly monitoring their networks for vulnerabilities.
| Follow @EthHackingNews |