A threat actor is actively exploiting misconfigured MongoDB databases exposed to the internet, wiping the contents and demanding low ransoms to restore access. According to researchers at cybersecurity firm Flare, around 1,400 MongoDB servers have already been compromised in automated attacks that typically demand about $500 in Bitcoin from victims.
Flare says it found more than 208,500 publicly exposed MongoDB servers, including 3,100 that required no authentication. Nearly half of the unsecured instances had already been wiped and replaced with ransom notes demanding 0.005 BTC within 48 hours. Analysis of the notes revealed just five Bitcoin wallet addresses, with one used in roughly 98% of cases, suggesting a single actor behind the campaign. Researchers also noted there is no assurance attackers actually retain stolen data or will restore it after payment.
Flare warned that the threat persists despite a decline from the mass MongoDB extortion attacks seen before 2021. The researchers also found that almost half of exposed MongoDB servers were running outdated versions vulnerable to known flaws. That said, administrators are recommended to take measures to protect their servers from being exposed on the internet, including enforcing strong authentication and firewall rules, keeping MongoDB fully updated, and continuously monitoring for signs of unauthorized access.