January 12, 2017
Almost nine days after attacks on MongoDB servers have ramped up, the number of ransacked databases has reached 32,380 hosts, and the number of groups involved in these attacks has grown to 21, after initially just one group had been involved.
Of these groups, the biggest and badest of them all is Kraken, a threat actor with some experience in cyber crime, after it had previously coded and attempted to distribute its own brand of ransomware.
The Kraken group got involved in attacks on January 6, and after two days it made nearly 16,000 victims and over $6,200.
Five days later after, the same group has now infected over 21,600 MongoDB instances, and according to its Bitcoin wallet, has made 9.8 Bitcoin (~$7,700).
MongoDB realty is slimming down
But there's so many MongoDB databases you can hijack. According to Shodan, there are around 50,000 MongoDB servers open to external connections, and according to ZoomEye, a similar search engine for Internet-connected services, there are around 100,000 MongoDB servers.
Not all of these have their administrative account exposed online without a password, and after almost two weeks of intense scans, the market has certainly plateaued.
The intense media coverage following Bleeping Computer's initial article has also helped database administrators secure their databases, or take notice that paying the ransom did not always mean they would have their data back.
Many of these groups didn't bother creating copies of the ransacked data, and almost all engaged in rewriting each other's ransom notes, meaning victims never knew who had their data, if someone bothered to export it.
Kraken selling MongoDB hijacking script for $200
Victims that wanted to pay have certainly paid until now. As such, it appears that the Kraken group is trying to monetize the last thing at its disposal, before the market collapses.
Below is an ad the Kraken group appears to have posted on PasteBin.
The script was discovered by a security researcher that goes by the Twitter handle of @rem1nd_, who manages a service that scrapes PasteBin for threat intelligence.
Ever since the MongoDB attacks have started, the researcher has added terms related to these attacks to his scan engine. Today, he came across the ad above, in which the Kraken group is selling the source code of its scan & hijacking engine for a meager $200, paid in Bitcoin.
At this point, providing lesser skilled threat groups with top-shelf tools will mean bad news, as more actors will become active, and more databases will get wiped off the face of the Internet.
Companies affected left and right
In recent days, there have been numerous nightmare scenarios, where companies that did not have recent or any type of backups were left without a way to recover their data.
DataBreaches.net highlights one of these cases, with Princeton University losing data stored on one of its MongoDB databases after a group hijacked its server.
Bob Diachenko of the MacKeeper Security Research Team also tells Bleeping Computer that these hijacking attacks have affected almost all the responsible disclosures the company was in the middle of.
"In general I can say that all of our previously reported and not secured MongoDBs are hijacked," Diachenko said via email.
For more than a year, the MacKeeper Security Team had been searching the Internet for open MongoDB databases, just like the crooks, but notifying companies and helping them secure their servers.
Since the attacks started, the company shifted from a privacy watchdog to providing support to affected companies in any way it could.
"Our security reports contain 15-records txt-samples taken from (mostly large and of course unprotected) databases," the MacKeeper security expert said, "but sometimes even that can be helpful in assessing the sensitivity / origin of data and [help companies] make right decision."
Victor Gevers and Niall Merrigan, the two researchers who tracked these attacks since the beginning, have also previously told Bleeping Computer that they spend much of their time helping companies recover their data.
As it looks right now, the constant scanning would make it impossible to run a passwordless, Internet-available MongoDB database ever again. Webmasters that need to work with MongoDB on a regular basis are advised to read MongoDB Inc's official security guide, re-published last week, as the attacks started to escalate.