Mongo Lock Attack Targeting Vulnerable Databases

Security researcher Bob Diachenko discovered a new attack targeting remotely accessible MongoDB databases, dubbed Mongo Lock. In this campaign, threat actors scan the internet for vulnerable servers and, once located, export the databases, delete them, and generate a ransom note demanding payment in return for the servers’ contents. Using a publicly available internet-of-things (IoT) search engine, NJCCIC analysts determined that New Jersey has over 1,000 MongoDB servers open and exposed to the internet that may be vulnerable to this and similar attacks. Last year, the NJCCIC released several alerts warning members about cyber extortion campaigns that were actively targeting vulnerable MongoDB servers. We recommend that administrators of MongoDB servers review our previous NJCCIC Cyber Alert, audit their security settings, and implement the mitigation strategies provided as soon as possible. Additionally, review MongoDB’s recommendations and checklist for securing databases here and here.