Security experts have identified that MongoDB databases, that are publicly accessible without authentication, are being targeted in a ransom campaign. Malicious actors can delete database content and leave ransom notes demanding payment in Bitcoin. Any MongoDB instance deployed with insecure configurations that allow unrestricted public access can be directly compromised by these attackers.
 

Affected systems

• Internet-exposed MongoDB instances without authentication or network restrictions

Security Risks

Misconfigured MongoDB instances can allow attackers to gain unauthorized access, delete data, disrupt operations, and extort organizations through ransom demands.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions:

• Follow the security hardening guidelines published by Flare and implement the recommended mitigations to reduce exploitation risks.

• Enable authentication and role-based access controls (RBAC) to ensure only authorized users can access databases

• Restrict network access by allowing connections only from trusted sources, blocking public access to port 27017, and using a trusted VPN or secure gateway.

• Before any updating task, ensure you have a current, tested backup of your data.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailing rwcsirt@ncsa.gov.rw or calling us on 9009.

References

• https://www.securityweek.com/over-1400-mongodb-databases-ransacked-by-threat-actor/

• https://flare.io/learn/resources/blog/mongodb-ransom/

• MongoDB Ransomware Is Still Actively Hitting Exposed Databases

• https://www.bleepingcomputer.com/news/security/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks/