In the last fortnight the number of organizations that have had their MongoDB databases logged onto, copied, and deleted has been steadily increasing.
Ethical Hacker Victor Gevers noticed in late December that many MondoDB databases had been left unsecured and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 groups had had their databases copied and erased. In their stead was a new database containing nothing but a ransom demand. The hacker who carried it out offered to return the data once a ransom payment had been completed – in this case 0.2 Bitcoin ($175).
The number of impacted groups has rapidly increased over the past few days. Today, more than 32,000 groups have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.
Emory Healthcare is not the only U.S. healthcare group to have left databases exposed. MacKeeper security expert Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which manages the website militarysleep.org – has also been left exposed.
The database, which includes 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive data such as veterans’ names, email addresses, home addresses, former military rank and their recorded usage of the site. The database also includes chat logs of conversations between doctors and veterans. Those logs include highly sensitive details of patients’ medical conditions.
As with other groups that have left their MongoDB databases in the default configuration, information can be seen by anyone who knows where to look. No login credentials are necessary. Databases can be accessed without the requirement or usernames or passwords or any authentication.
The problem affects groups that are using older versions of MongoDB. MongoDB had, in earlier versions, been set with unrestricted remote access turned on as default. While more recent versions of the database platform had this amended with remote access set to off in the default configuration, many groups ns are still using older versions and not changed the configuration settings to stop unrestricted data access.
Sadly, many individuals have started to access unsecured MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is trying to extort money from 21,000+ organizations.
While some of these ‘hackers’ have exfiltrated data before deleting databases, others have not. Ransom demands are being issued regardless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is completed.
Healthcare groups that use MongoDB databases should ensure that their security settings are current to stop remote access by unauthorized individuals. Given the number of groups already attacked, failure to do so is likely to lead to data being hijacked, or worse, permanently erased. Gevers says that there are more than 99,000 groups that have misconfigured MongoDB databases and are therefore in danger.