A technical analysis by Flare found that a threat actor compromised about 1,400 publicly exposed MongoDB servers in automated data extortion attacks that demanded roughly 0.005 BTC per victim.
KEY FACTS
- Incident About 1,400 exposed MongoDB servers were compromised
- Scale Researchers identified roughly 208,500 publicly exposed MongoDB instances
- Access Approximately 3,100 instances allowed unauthenticated access
- Ransom Typical demand about 0.005 BTC, requested within 48 hours
About 208,500 MongoDB servers were publicly exposed on the internet. Roughly 100,000 of those expose operational information and about 3,100 allow access without authentication.
Almost half, 45.6 percent, of instances that allowed unrestricted access had been compromised. Compromised databases were wiped and ransom notes were left demanding payment within 48 hours.
Ransom notes used five distinct Bitcoin wallet addresses, with a single address appearing in about 98 percent of cases. The typical demand was 0.005 BTC, equivalent to roughly $500 to $600 at the time.
Nearly 95,000 exposed instances ran older MongoDB versions with known n-day vulnerabilities. Most of those flaws would enable denial-of-service rather than remote code execution.
Recommended mitigations include avoiding public exposure of database instances when not required, enforcing strong authentication, applying firewall rules and Kubernetes network policies, updating MongoDB to supported versions, rotating credentials, and reviewing logs for unauthorized activity.
WHY IT MATTERS
Automated extortion targeting misconfigured databases can yield wide impact at low cost to the attacker. Basic security controls and timely patching can substantially reduce the risk of compromise and data loss.