Unistellar Hacking Group Deletes More Than 12,500 Unsecured MongoDB Databases

There has been a spate of attacks on businesses running unsecured MongoDB databases in the past three weeks that has seen the attackers delete databases and demand payment to restore the data.

The attacks have been conducted by the Unistellar hacking group. This is the largest campaign targeting MongoDB databases since the widespread attacks in 2017. At the time of writing, the latest campaign has seen more than 12,500 databases deleted.

The attacks do not demand a ransom as such, instead they leave a note informing the database owner that they need to make contact via email to find out about the hackers’ data restoration services.

The deleted databases were discovered by security research Sanyam Jain, who discovered one deleted database on April 24, 2019 with the note “Restore ? Contact : [email protected],” and that it was far from an isolated attack.

The attacks are believed to be automated. While it is not clear whether the hackers can recover the deleted data, they are creating restore points in the databases which suggests data recovery will be possible. Jain notes that approximately 63,000 unsecured MongoDB databases have been indexed by the BinaryEdge search engine and, so far, around 20% have been deleted by the Unistellar hackers.

In ransomware attacks, the ransom note contains the Bitcoin wallet addresses used by the attackers, which makes it easy to track how many victims have paid the ransom. However, since no Bitcoin or other cryptocurrency wallet addresses are disclosed in the attacks, it not possible to get an indication of how many of the victims have paid and how much the attackers are charging to restore the deleted databases.

One the recent victims is the owner of the database containing more than 275 million records of Indian citizens which was discovered as being accessible over the Internet by security researcher Bob Diachenko on May 1. That database, which remained accessible despite Diachenko notifying Indian CERT, was deleted by the Unistellar hackers on May 8.

The spate of attacks should serve as a warning to all MongoDB users to check their databases and make sure they are not exposed over the Internet and are properly secured. Proper access controls should be set to ensure users must authenticated before access is granted and databases should be encrypted to prevent data leakage. Naturally, all databases should be backed up to ensure they can be recovered without paying a ransom or any ‘restoration services’ in the event of an attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news