Future Hosting, a managed provider hosting, warns users of the MongoDB database to verify that their data is protected by authentication and password and that they are not accessible from the open Internet. The warning concerns a new ransomware campaign that erases data from thousands of insecure MongoDB databases last month, exploiting inappropriate security conditions.
Data from 12.000 MongoDB databases was deleted and replaced with a message asking the owner to contact the attacker to give him details about the payment he had to deposit. Unlike traditional ransomware attacks, the data is not encrypted but copied to the attacker's servers and then deleted. More than 275 million people were affected by this violation.
Attacks against unsafe MongoDB databases are common, but the scale of recent attacks is far greater than data leakages and ransomware attacks in recent years.
Future Hosting advises users using MongoDB to familiarize themselves with MongoDB documentation, especially with the Security Checklist, explaining how to enable access controls and enable authentication.
MongoDB is not inherently insecure, meaning that attackers do not exploit any software vulnerability. However, inexperienced users often fail to properly format the database, allowing it to respond to requests from arbitrary IP addresses without authentication.
Attack victims may not be aware that MongoDB requires settings to protect data from external access. They can also falsely believe it is difficult to find unsafe databases. But tools such as the Shodan search engine and BinaryEdge make it easier to find unsafe devices and services online.