Flare reports that over 1,400 unprotected MongoDB instances show signs of compromise after attackers replaced database contents with ransom notes demanding roughly $500 in Bitcoin. Of more than 200,000 publicly discoverable MongoDB servers, about 3,100 are exposed without proper access controls and many have vulnerabilities, and Flare’s evidence suggests a single threat actor is likely behind most of the ransacking while the attacker’s wallet shows only around $400 received so far. #MongoDB #Flare #Bitcoin
Keypoints
- Over 1,400 publicly exposed MongoDB instances show signs of compromise with contents replaced by ransom notes.
- Ransom notes typically demand $500 in Bitcoin and 98% reference the same bitcoin address, suggesting a single actor.
- Flare identified more than 200,000 MongoDB servers publicly discoverable, with roughly 3,100 exposed without proper access controls.
- About 46% of servers disclose operational information and over 95,000 have at least one vulnerability, many enabling DoS.
- The attacker’s potential earnings could range up to $842,000, but the observed Bitcoin receipts total only around $400 so far.
Read More: https://www.securityweek.com/over-1400-mongodb-databases-ransacked-by-threat-actor/