BreachExchange mailing list archives
Attackers ransom bookseller’s exposed MongoDB database
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 8 Aug 2019 08:55:28 -0500
https://nakedsecurity.sophos.com/2019/08/06/attackers-ransom-booksellers-exposed-mongodb-database/ Exposed MongoDB databases have become the easy money-maker ransomware criminals are busy filling their boots with. In mid-July 2019, another database fell to the extortion hackers, this time containing 2.1 million records belonging to well-known Mexican publisher and bookseller, Librería Porrúa. It’s not certain how many individual customers were affected, but purchase information included details of 1.2 million names, email addresses, shipping addresses and phone numbers, plus site information such as invoices and purchases, shopping cart IDs, activation codes and tokens, and hashed card details. There were also 958,000 personal records revealing most of the above data fields plus dates of birth. We know all this because this exposed MongoDB instance was discovered by security researcher Bob Diachenko on 15 July 2019, the day after it was first indexed by the Shodan search engine. He explains how he immediately contacted the company with the bad news. Unfortunately, by 18 July, criminals had spotted and “wiped” the database, leaving a demand for 0.05 Bitcoins (around $500) to return it. The next day, access to the now empty database was disabled by someone, presumably in response to the attack. As of 1 August, nobody from Librería Porrúa had contacted Diachenko regarding his discovery. As with previous incidents involving exposed databases, the MongoDB instance was accessible by anyone without the need for authentication, with the added bonus that it could be reached using two different IP addresses. As Diachenko points out, by the time criminals access a database of this kind, paying the ransom is beside the point – even if the attackers hand back the data, it might still have been copied and exposed elsewhere. Public access mode As previously discussed on Naked Security, one of the risks with MongoDB is that’s its easy to mess up either by using an older version lacking remote access authentication, or a newer instance that has been poorly secured. Diachenko notes: The public configuration makes it possible for cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains. It’s the recurring weakness that contributed to a huge campaign that compromised up to 27,000 thousand MongoDB installations in 2017. In 2018, in another severe incident, a database of 445 million records held by disaster recovery company Veeam was found in an exposed state by Diachenko. In May this year, Diachenko discovered yet another MongoDB database containing the records of 275 million people in India. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Attackers ransom bookseller’s exposed MongoDB database Destry Winant (Aug 08)