Share this article on:
Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.
Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).
The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.
Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.
The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.
As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.
The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.
Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.
While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.
Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.