September 6, 2017 By Larry Loeb 2 min read

Security researchers uncovered a new wave of concentrated attacks against MongoDB installations. The campaign is reminiscent of a malware attack from late 2016 and early 2017 in which unsecured databases were cleared and replaced with a fraudulent ransom note. Those who paid the ransom found that their data was permanently lost.

New Malware Attack Hits MongoDB

Bleeping Computer attributed the discovery to security researchers Dylan Katz and Victor Gevers. Gevers is the chairman of the GDI Foundation, which is a nonprofit organization that aims to secure devices exposed online.

Katz unearthed the MongoDB attacks as part of this work, which also involved cryptocurrency miners, Arris modems and Internet of Things (IoT) devices. Gevers said he would consult with additional security experts to examine the attacks more closely.

According to a Google Docs spreadsheet compiled by several security researchers to track the issue, including the previous MongoDB ransomware strikes, three email addresses were associated with these new attacks. These infected over 26,000 servers. That is an extremely high number of compromises for a short period of time.

Gevers also told Bleeping Computer that he had observed cases in which a threat actor breached a user’s database before the user restored the data from backups. At that point, the malware operators hijacked the database once more because the victim failed to properly secure it.

Possible Causes and Remediation Steps

Gevers could not paint a clear picture as to how the hijacking was even possible. He said he was confused by missing pieces of the overall puzzle, and he wondered whether a lack of knowledge on the victims’ part came into play. He also suggested that the victims may have been running on older versions of the database without safe defaults.

For its part, MongoDB posted a detailed list of steps to avoid attacks like this. Security professionals responsible for securing MongoDB databases would be wise to review these mitigation steps.

More from

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy.After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security of…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today