September 6, 2017 By Larry Loeb 2 min read

Security researchers uncovered a new wave of concentrated attacks against MongoDB installations. The campaign is reminiscent of a malware attack from late 2016 and early 2017 in which unsecured databases were cleared and replaced with a fraudulent ransom note. Those who paid the ransom found that their data was permanently lost.

New Malware Attack Hits MongoDB

Bleeping Computer attributed the discovery to security researchers Dylan Katz and Victor Gevers. Gevers is the chairman of the GDI Foundation, which is a nonprofit organization that aims to secure devices exposed online.

Katz unearthed the MongoDB attacks as part of this work, which also involved cryptocurrency miners, Arris modems and Internet of Things (IoT) devices. Gevers said he would consult with additional security experts to examine the attacks more closely.

According to a Google Docs spreadsheet compiled by several security researchers to track the issue, including the previous MongoDB ransomware strikes, three email addresses were associated with these new attacks. These infected over 26,000 servers. That is an extremely high number of compromises for a short period of time.

Gevers also told Bleeping Computer that he had observed cases in which a threat actor breached a user’s database before the user restored the data from backups. At that point, the malware operators hijacked the database once more because the victim failed to properly secure it.

Possible Causes and Remediation Steps

Gevers could not paint a clear picture as to how the hijacking was even possible. He said he was confused by missing pieces of the overall puzzle, and he wondered whether a lack of knowledge on the victims’ part came into play. He also suggested that the victims may have been running on older versions of the database without safe defaults.

For its part, MongoDB posted a detailed list of steps to avoid attacks like this. Security professionals responsible for securing MongoDB databases would be wise to review these mitigation steps.

More from

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today