Over the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been on the rise.
Ethical Hacker Victor Gevers found in late December that many MondoDB databases had been left unsecured and were freely accessible over the Internet by unauthorized people. By January 6, he stated that 13 organizations had had their databases copied and deleted. In their place was a new database containing just a ransom demand. The hacker who carried out the attack offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).
The number of affected organizations has rapidly grown over the past few days. Today, more than 32,000 organizations have been hit with ransom demands and have had their databases deleted, including Emory Healthcare.
Emory Healthcare is not the only U.S. healthcare group to have left databases easily accessible. MacKeeper security researcher Chris Vickery has found another potential healthcare victim. A database used by WAMC Sleep Clinic – which runs the website militarysleep.org – has also been left exposed to a possible attack.
The database, which stores 2GB of data, includes details of 1,200 veterans who suffer from sleep disorders and have attended with the Sleep Clinic. The database stores sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also holds chat logs of conversations between doctors and veterans. Those logs contain extremely sensitive details of patients’ medical conditions.
As with other groups that have left their MongoDB databases in the default mode settings, information can be accessed by anyone who knows where to look. No login credentials are needed. Databases can be accessed without the requirement for usernames or passwords or any authentication.
The problem damages organizations that are using older versions of MongoDB. MongoDB had, in older versions, been set with unrestricted remote access turned on as default. While newer versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using previous versions and not amended the configuration settings to prevent unrestricted data access.
Unfortunately, many people have begun to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware group has also got involved and is trying to extort money from 21,000+ organizations.
While some of these ‘hackers’ have obtained data prior to deleting databases, others have not. Ransom demands are being issued regardless, although since no copy of the data has been taken, recovery will be impossible even if a ransom is paid.
Healthcare groups that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized people. Given the number of organizations already hit, failure to do so is likely to lead to data being hijacked, or worse, permanently lost. Gevers says there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore in danger.
