BreachExchange mailing list archives
Unistellar attackers already wiped over 12, 000 MongoDB databases
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 21 May 2019 08:41:11 -0500
https://securityaffairs.co/wordpress/85766/hacking/unistellar-wiped-12000-mongodb.html Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data. Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online. In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation. Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases. “this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain. The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message. Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online. It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar. Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact : unistellar () yandex com The attacker used two email addresses in these attacks, unistellar () hotmail com or unistellar () yandex com. According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom. If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Unistellar attackers already wiped over 12, 000 MongoDB databases Destry Winant (May 21)