A recent article from ZDNet (8-Feb-19) has shed some more light on a continuing pain surrounding cases of MongoDB databases being compromised.

The article mentions that this trend of attacks targeting MongoDB servers first began in December 2016, when hackers realized they could extort payments from companies that had left their MongoDB databases exposed on the internet.  At the time, there were roughly 60,000 MongoDB databases left exposed online, so attackers had plenty of targets to choose from.  During the first wave of attacks, hackers downloaded data to their systems, deleted the data on the company’s server, and left a note behind asking for a ransom in exchange for the data.

Dutch security researcher Victor Gevers has been one of the security researchers who tracked the MongoDB ransom attacks since the get-go. For the past two years, he’s continued to track these hacker groups and their attacks in a Google Docs file he set up back in early 2017.  In an interview earlier this week, Gevers told ZDNet that the attacks were still ongoing. Only over the course of last month, Gevers says he spotted three new hacker groups.

These three new players managed to ransack nearly 3,000 MongoDB databases, operating based on the same technique as the initial attacks –connecting to databases left without a password, deleting data, and leaving a ransom note behind.

Click the button below to read more.