New wave of concentrated attacks target MongoDB

by Tomas Statkus - -

A new resurgent malware attack was discovered targeting MongoDB installations. The attacks remind of a malicious threat that took place from the end of 2016 to the beginning of 2017 and was called MongoDB Apocalypse. These attacks took advantage of unprotected databases and replaced them with a false ransom note, however, the victims who paid the malware a ransom still lost their information permanently. Some organizations discovered that the ransom never actually had their information.


The majority of infected databases were test systems, the rest combined production information.

The new malware targets MongoDB and was uncovered by security researchers Dylan Katz and Victor Gevers, according to Bleeping Computer.[1]

According to a Google Docs spreadsheet developed by several Internet security researchers, three email addresses are related to these attacks that compromised more than 26,000 servers.[2]

Gevers noted that “the amount of (new) attackers went down compared with the beginning of the year, but the destructive reach (in regards to victims) per attack went up in numbers. So it looks like there are fewer attackers but with a larger impact.”

In addition, V. Gevers also stated that he has monitored and recorded incidents in which a malicious actor hacked a victim’s database before the victim retrieve the data. In this case, the attackers hijacked the database again because the user did not properly secure the data.

The extensive security packages installed in MongoDB could help to prevent the attacks.[3]

Gevers also revealed that there are some unanswered questions:

“Now we need to study exactly what is going on here because we are missing pieces of the puzzle to keep a complete picture. Is this a lack of knowledge? Did they mess up the [MongoDB] security settings without knowing it? Are they running on older version without safe defaults and other vulnerabilities?”

Gevers is the chairman of the GDI – NGO that works in order to protect devices exposed online such as Arris modems, IoT devices and cryptocurrency miners. The screenshot below illustrates the GDI’s foundation activity in the year of 2017 and gives you a view of how much effort the team puts into their work.

MongoDB table

About the author

Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions


now online
Like us on Facebook