Attacks On MongoDB Rise as Hijackings Continue

This week we hear about how Attacks On MongoDB Rise as Hijackings Continue and how a Ransomware Requires You to Read Security Articles.

Breach

Attacks On MongoDB Rise as Hijackings Continue

The number of insecure MongoDB databases being hijacked by criminals is growing, according to experts who say the attacks that began last week are now targeting more valuable assets.

It has been reported that a hacker going by the handle "Harak1r1" was compromising open MongoDB installations, deleting their contents, and leaving behind a ransom note demanding 0.2 BTC (about $220).

Despite years of repeated warnings of unprotected MongoDB databases, a recent scan using Shodan search engine reveals 46,000 open MongoDB are ripe for attack.

References: Database Hijackings Who’s Next | Attacks on MongoDB Rise as Hijackings Continue | MongoDB Databases For Ransom

 

Mitigation Strategies:

  • Log management could detect any suspicious user account activity
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • To prevent yourself from being a victim, you need to enable authentication, which should provide you "Defense in depth," in situations when the network gets attacked. To do this, you need to edit the MongoDB configuration file “auth-true.”
  • If possible, enable firewalls and disable remote access to MongoDB databases and configure Bind_ip, which will bind local IP addresses and limit the server's access.

Malware

Koolova: The Ransomware That Requires You to Read Security Articles

This version of a ransomware requires you to read security articles or you will see your blocked files permanently deleted. A warning screen (complete with the requisite stock photo image of a hacker in a ski mask) appears and announces that all your files have been encrypted.

If you "agree to stop downloading unsafe applications off the Internet" and do the recommended reading, you'll get a decryption key will restore your encrypted files free of charge. If the victim takes too much time to read the articles the files are actually destroyed by the malware.

References:  New Malware Holds Your Files Hostage Until You Read Two Cybersecurity Awareness Articles | Koolova Ransomware Unlocks Files Read Two Ransomware Avoidance Posts | This Crazy Ransomware Restores Your Files If You Read About Ransomware | Koolova: The Ransomware That Wants to Make You Aware of Security

Mitigation Strategies:

  • Anti-virus would detect file infection on the local host
  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • A tested backup and restore strategy

This Week's Suspicious IP Addresses

218.65.30.43 122.194.229.40
153.99.182.14 153.99.182.4
203.192.16.17 46.109.168.179

*IP addresses provided by Recorded Future.