MongoDB Servers Targeted in Ransom Attacks

MongoDB is an open source database application with a default configuration that does not have any security features enabled. Ransom attacks are targeting MongoDB installations that are reachable from the internet.

Threat ID:: CC-1064
Category:: Ransomware
Threat Severity:: Low
Threat Vector:
Published:: 12 January 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

An attacker uses the default database Administrator credentials to copy the database records off-line and delete the database. A ransom note is then displayed demanding a fee is paid to have the data returned.

Remediation steps

Type	Step
	Enforce authentication for all accounts. Restrict access to the database from untrusted networks where possible. Ensure password authentication uses strong passwords, especially where public access is allowed.

Last edited: 17 February 2020 11:35 am