MongoDB ransom attacks reportedly re-emerged over the weekend, with three new hacker groups hijacking over 26,000 servers if a fresh wave of attacks. The new attacks are allegedly a continuation of previous ones, which began late last year and lasted well into the first few months of 2017.
Although the MongoDB attacks dwindled out over the past few months, they now appear to have resumed with a vengeance. Bleeping Computer reported that the new attacks were detected by security researchers Dylan Katz and Victor Gevers. The duo also reportedly identified three new hacker groups – cru3lty, wolsec and mongodb – based on the email address they used when sending out ransom demands. Of the three groups, cru3lty reportedly hijacked a record of over 22,000 servers.
"The amount of (new) attackers went down compared with the beginning of the year, but the destructive reach (in regards to victims) per attack went up in numbers," Gevers, the chairman of GDI Foundation, told Bleeping Computer. "So it looks like there are fewer attackers but with a larger impact."
Earlier in the year, the MongoDB attacks propagated to other server technologies, including ElasticSearch, CouchDB, MySQL and others.
According to Gevers, in some cases, after a user has restored a hijacked database from backups, a hacker group ransoms the servers again on the same day, because the victim didn't properly secure the database.
"Now we need to study exactly what is going on here because we are missing pieces of the puzzle to keep a complete picture," Gevers told said. "Is this a lack of knowledge? Did they mess up the [MongoDB] security settings without knowing it? Are they running on older version without safe defaults and other vulnerabilities?"
"MongoDB is not unique—OpenSSL, Apache, MySQL, Linux, etc. have all had their fair share of security. We've seen hackers exploit WordPress vulnerabilities that were patched more than 10 years ago," Rob Sobers, Director at Varonis had earlier told IBTimes UK. "The problem of overexposed data goes behind the public Internet, too. We see the same exact problem behind the corporate firewall—it's not uncommon to find hundreds of thousands of sensitive folders with highly sensitive data exposed to every user on the network within the first few minutes of a risk assessment.
"Organizations should have a documented patch management process, should scan for vulnerabilities and configuration mishaps, and discover and classify sensitive data and systems so they can properly lock them down."