MongoDB Issue, Still On Even After More Than Two Years
The Dec 2016 cyber extortion and espionage against MongoDB installation is still happening today in early 2019. Cyber espionage and extortion are lucrative businesses for cybercriminals. Extortion is a very profitable undertaking even before the Internet became a thing, and with the digitalization of data, means the ‘trust’ of customers are stored in a storage device.
The researcher Bob Diachenko analyzing the flow of information from the search engine BinaryEdge has discovered a completely vulnerable database in MongoDB that has exposed the personal and professional information of more than 202 million people. This database contains 854 GB of information pertaining to people applying for employment in China. Among the filtered data is; Names, stature, emails, identification, political inclination, telephone numbers, work experience, skills, and driver’s license.
The expert collected the information using a Github script, obtaining information from different Chinese classifieds, one of them was from the company 58.com. A representative from 58.com explained that the records were on their platform and confirmed that a third party had created them.
So far it is not known how long the data remained exposed. But according to the researcher, the MongoDB registry showed that someone had accessed the file quite regularly. The suspect, for the truth very close to certainty, was already there. Confirmation has now arrived: all subjects operating in Russia are obliged to provide dedicated access to the Kremlin government.
Presenting the “smoking gun” was Victor Gevers, a Dutch security researcher who unexpectedly stumbled into the backdoor by analyzing some MongoDB databases exposed on the Internet without any protection, something no sane system administrator will allow. It is not the first time that MongoDB databases attract the attention of security researchers. In the past, in fact, they were subject to massive attacks, and the news is full of cases in which the archives were simply left available to anyone, without any authentication system for access.
“Most of the time they forget to delete the database. It’s clear someone sold a toolkit as each attack looks like the same as others. Only the email, Bitcoin address, and ransom note differ,” explained Gevers.
To attract the attention of Gevers, however, in this case, it was (also) something else. Analyzing about 2,000 databases that refer to Russian companies or operating in Russia, the researcher has indeed noticed the presence of an identical account in all the archives: Admin@kremlin.ru. Among these, there is also Disney. Analyzing the database of the US multinational, in fact, we note the presence of the “usual“ account that refers to the Kremlin.
The story, however, seems to go further. The researcher, in fact, has identified the same account also on a database that refers to the Ukrainian Ministry of Internal Affairs, a country with which the Kremlin government does not maintain exactly “friendly“ relations. The impression, wanting to hazard a hypothesis, is that from the parts of Moscow have thought well to centralize even the control of a compromised database. We may never know.
Julia Sowells635 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.