BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Unistellar attackers already wiped over 12, 000 MongoDB databases

From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 21 May 2019 08:41:11 -0500
https://securityaffairs.co/wordpress/85766/hacking/unistellar-wiped-12000-mongodb.html

Every time hackers deleted a MongoDB database they left a message
asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and
request a ransom to restore data is common, experts observed several
campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a
specific ransom amount, instead, they provide an email contact to
start a negotiation.

Bleeping Computer first reported the attacks and cited the expert
Sanyam Jain as the person that discovered the deleted MongoDB
databases.

“this person might be charging money in cryptocurrency according to
the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped
by an attacker tracked as Unistellar, he searched the text
“hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a
smaller number, 7,656 databases, while doing the same search I found
8.133 compromised installs exposed online.
It is likely the attacker has automated its attacks chain due to the
lange number of MongoDB databases deleted by Unistellar.

Jain first discovered the attacks on April 24, the note left by the
Unistellar attacker reads “Restore ? Contact : unistellar () yandex com

The attacker used two email addresses in these attacks,
unistellar () hotmail com or unistellar () yandex com.

According to Jain, Unistellar creates restore points to restore the
databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to
secure a MongoDB database”
_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange
Previous By Date Next
Previous By Thread Next

Current thread: