Share this article on:
A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return.
Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health Center. Information in the database includes patients’ names, addresses, email addresses, dates of birth, medical ID numbers, and phone numbers.
However, while the attack involves a ransom demand, Harak1r1 is not using ransomware. The database of Emory Healthcare was accessed, the database was stolen, and the data tables wiped. Emory Healthcare is far from the only victim. More than 4,000 companies have been attacked by Harak1r1.
The attacks on misconfigured MongoDB databases were discovered by the ethical hacker Victor Gevers of GDI Foundation on December 27, 2016.
Gevers found a MongoDB database that had been left unsecured. When the database was accessed, instead of data in the tables, the database appeared to have been wiped clean and replaced with a ransom demand asking for 0.2 Bitcoin to be paid to recover the database. Gevers reports that the attacker gained access to the healthcare provider’s MongoDB database, exfiltrated it, and replaced the data with a new table called Warning which contained the ransom demand.
Gevers investigated and discovered numerous organizations had also been attacked. The victim count has been steadily rising over the past couple of weeks, from tens to hundreds to thousands.
Reports this morning indicate the total victim count has now surpassed 28,000. Norway-based security researcher Niall Merrigan is tracking the attacks along with Gevers. At the time of writing, the victim count has reached 28,321.
However, not all of the attacks have been conducted by Harak1r1. There now appears to be at least 13 individuals involved. One attacker from India has attacked and wiped the data of more than 16,000 organizations. Unfortunately, not all of the attackers are exfiltrating data. Organizations are being issued with ransom demands, but their databases are simply being wiped. Payment of the ransom may not result in data being recovered.
The good news is that the problem appears to only affect older installations of MongoDB that have been left in the default configuration. The bad news is that there are 99,000 or more of these unprotected databases according to Gevers.
In the default configuration databases can be accessed over the Internet without the need for any hacking tools. Even usernames and passwords are not required to gain access to the unprotected databases.
MongoDB, Inc., the company behind MongoDB, fixed the issue in the latest MongoDB version. Unfortunately, if MongoDB admins have not upgraded to the latest version or have not otherwise secured their MongoDB installations, their databases may be stolen or simply deleted.
Any organization that used MongoDB should take immediate action to ensure their installation is up to date and their data secured and backed up. The 0.2 Bitcoin ransom may not break the bank, but there is a high probability that data will simply be wiped. Should that happen, and a viable backup not exist, data will be permanently lost.