33,000 Databases Fall in MongoDB Massacre

更新终端计算设备的系统和应用软件已经成为一种基本的生存技能,而关注新使用的系统的安全更新问题也是很必要的安全觉悟。
Nearly 33,000 MongoDB databases have been hijacked as of today, the latest numbers associated with a series of attack campaigns that have been picking up pace over the past couple of weeks show.
What started as a seemingly isolated incident in December turned out to be a massacre targeting insecure, Internet exposed MongoDB databases worldwide. Now, multiple actors are attempting to cash in on organizations’ failure to properly secure their web-based databases.
Initially, a single hacker was observed hijacking MongoDB databases, stealing their content, and holding it for ransom. The actor was asking for a 0.2 Bitcoin ransom, and tens of organizations paid it within the first two weeks alone.
Soon after the initial round of attacks made it to the headlines at the beginning of the year, things escalated as more hackers decided to join the campaign. Currently, MongoDB databases are being attacked by nearly two dozen hackers, and the pace at which databases have been hacked has increased dramatically.
Within days, tens of thousands of MongoDB databases fell to the massacre, as the number rose from only 10,000 on Friday to nearly 33,000 as of this morning. According to a tweet from Cap Gemini’s Niall Merrigan, the system database names are no longer at the top of the stats, as the ransomed database name managed to climb to the leading position on Tuesday.
These attacks are easy to perform because the exposed databases can be discovered using online tools, and installations aren’t secured by default. In fact, while other databases require some form of credentials and are local installations, MongoDB databases are exposed to the Internet right from the start and require no credentials whatsoever.
Ethical hacker Victor Gevers, who was the first to discover the attack, told SecurityWeek that some companies in fact fail to secure their databases even after they’ve been hacked. “But do not underestimate how unwise some organizations respond when they find out their database was stolen. They remove the note and just restore the database, but leave the server still open,” he said.
Dubbed “MongoDB ransack,” the campaign is closely monitored by Merrigan and Gevers. The latter has been long searching for insecure databases to warn companies of the risk they pose. However, many of his responsible disclosures remained unanswered, with 138 of last year’s reports suffering such a fate.
More recently, attackers began looking to cash in on the hype surrounding the campaign, and one of them decided to sell the software used for hijacking the databases. The tool is called Kraken Mongodb ransomware, and its C# source code is offered for only $200 in Bitcoin.
One of the effects of this entire campaign is that the amount of data stored in MongoDB databases has decreased significantly over the past weeks. According to Morrigan, 114.5 Terabytes of data was lost in less than three days as a result of these attacks.
In fact, the security researchers monitoring the situation have already warned that most of the attackers are no longer holding the databases for ransom, but are simply deleting them and pretending they still have the data.
In some cases, the same database is hit multiple times, as the attackers are going for the same pool of targets, meaning that organizations could end up paying the ransom to the wrong attacker. Victims should not only refrain from paying the ransom, but should also ask for “proof-of-life” when contacting the attackers, to ensure their data still exists.

As long as an organization has the proper network monitoring tools in place, it is possible to tell whether the database has been copied or deleted, Gevers says. This, however, requires matching tracked outbound traffic with the number of simultaneous connections in the log file and the duration of these connections. This allows researchers to estimate how much data was exfiltrated.
There are over 50,000 publicly accessible MongoDB databases on the Internet at the moment, and it might not be too long before all of those that haven’t been properly secured are hijacked. According to Gevers, all of the insecure databases could be ransacked in a couple of weeks, maybe even faster.
As it turns out, one of the MongoDB databases hit in the ongoing ransack belongs to the Princeton University, yet it’s uncertain whether it would be able to recover the data or not. According to DataBreaches.net, which discovered the attack, the University hasn’t commented on the incident as of now, and there’s no info on what kind of information the affected database included.
互联网金融您不知道的肮胀交易
While he wouldn’t name any of the affected organizations that asked for help so far, Gevers did confirm once again that they are from various industries, including IP, healthcare, online gambling, financial services, trading, and travel/booking. Many online services were also hit in the attack, the researcher said.
In the meantime, organizations with MongoDB databases are advised to take the proper steps to secure their installations and ensure they don’t fall victim to this attack. Last week, MongoDB published a blog post providing details on how admins can secure the databases.
Related: Multiple Attackers Hijacking MongoDB Databases for Ransom
多家网站拒绝承认出售用户资料,个人用户对个人资料的外泄维权艰难,隐私保护需从源头抓起。

猜您喜欢

《经修正的 1974年国际海上人命安全公约 》等十二项修正案生效
SOC不只是监控和分析日志,MSS不是一日变成的
公共场所的信息安全意识保护信息资产
为了6岁孩子北京夫妻砸钱爆改30㎡胡同"监狱房"走红网络
EHOWSTUFF INSURANCE-OFFERS-UNSUBSCRIBE
国家安全委员会与信息安全

Programmer finds way to liberate ransomware’d Google Smart TVs

Television production factory LG has saved Darren Cauthon’s new year by providing hidden reset instructions to liberate his Google TV from ransomware.

The company initially demanded more money than the idiot box was worth to repair the TV and relented offering instructions for resetting the telly after Cauthon took to Twitter to express his displeasure.
The infection came after the programmer’s wife downloaded an app to the TV promising free movies. Instead, it installed the ransomware, with a demand of US$500 to have the menace removed.
Cauthon said LG offered factory reset steps which are not publicly revealed nor known to its customer support technicians.
He says a family member showed him the TV over Christmas laden with ransomware purporting to be a FBI message bearing a notice that suspicious files were found and the user has been fined.
The lame ransomware rendered the TV inoperable which he managed to fix using the below simple steps that may apply to other Google TVs.
With the TV powered off, place one finger on the settings symbol then another finger on the channel down symbol. Remove finger from settings, then from channel down, and navigate using volume keys to the wipe data/ factory reset option. ®
Youtube Video
Sponsored:
互联网安全联盟从技术上拯救了中国海量的低端用户,低端用户需要特定的安全解决方案,但是要让这些低端用户获得真正的安全保障,需要将他们从类似保姆似的安全保障中解放出来,需要加强安全意识教育。
年度安全会议上的老问题与新战略
Customer Identity and Access Management
要降低泄露机密信息的可能性,首先应该保证数据信息的安全。只有作好了数据信息安全防范,才能保证企业健康而顺利地运行和发展。

猜您喜欢

安全脉搏与嘶吼RoarTalk达成内容战略合作伙伴关系
手握金蛇守护安全
网络安全管理控制中心
大使妻子被指谋杀亲夫被送监狱
LATGA CAMBRIADOBES
浅谈信息安全测试系统