Over 26,000 MongoDB Servers Reportedly Targeted in Ongoing Extortion Campaign

On January 3 and January 11, 2017, the NJCCIC released alerts warning members that MongoDB servers were being actively targeted in a cyber extortion campaign and that those open to external connections and lacking an administrator account password could be easily accessed by hackers via TCP port 27017. Once hackers gain access, they either export or delete any data stored on the server and replace it with a ransom note demanding payment for its return. Over this past weekend, security researcher Victor Gevers reported seeing a new surge of attacks by three new hacking groups who have, so far, hijacked over 26,000 vulnerable MongoDB servers. On Tuesday, September 5, we released an alert to our members to warn them about this threat. The NJCCIC recommends administrators of MongoDB servers review the NJCCIC Cyber Alert and implement the mitigation strategies provided as soon as possible.