通过空间测绘分析Mongodb被勒索情况

2023年6月14日09:00:35评论109 views字数 3218阅读10分43秒阅读模式

由于微信公众号推送机制改变了，快来星标不再迷路，谢谢大家！

一、mongodb数据被勒索情况介绍

黑客利用了Mongodb未授权访问漏洞，批量的对可操作的数据库进行了“删库”操作，并留下自己的联系方式，要挟用户使用比特币支付赎金换回数据。

过去3个月中全网存在22088个mongodb存未授权访问，这些mongodb中，有12140个存在被勒索的情况，被勒索的mongodb占存在未授权访问mongodb的百分之54.96。攻击者删除了未授权mongodb数据库中的数据，并在READ__ME_TO_RECOVER_YOUR_DATA库中留下自己的联系方式，要挟用户支付比特币赎金换回数据。

通过空间测绘分析Mongodb被勒索情况

在黑客勒索数据库后，并删除了数据库，新建了READ__ME_TO_RECOVER_YOUR_DATA表，留下了这么一段话：

All your data was backed up. You need to email us at [email protected] to recover your data. (more information: go tohttps://cutt.ly/11recdb) ALLWAYS CHECK YOUR SPAM FOLDER! OR YOU MAY MISS OUR MAILSIf you dont answer we will leak and expose all your data and in 48hs delete it forever from our server.

访问URLhttps://cutt.ly/11recdb，黑客留下这么一段文字，大意为发0.035比特币给地址为17An5PGTA7PYXaiiqPpZDMHyFBdM1qfpB 、并威胁不给钱数据将会在黑产市场中披露。

通过空间测绘分析Mongodb被勒索情况

To retrieve your data, a 0.035 Bitcoin payment is required to address 17An5PGTA7PYXaiiqPpZDMHyFBdM1qfpB Then send transaction screenshot or proof of payment to us.

Kindly visit buy.moonpay.io to buy BTC using a credit card or visit any of the following sites: paxful.com, Binance.com, Coinbase.com, or Crypto.com. In China, you can purchase BTC from Huobi, OKcoin, BTCC, Paybis, Coinmama, or Bitfinex. 

Contact us to discuss different payment methods.
Once payment is confirmed, we will send you a link for you to download the data, and we will delete our copy. Please note that failure to pay within 48 hours will result in a doubled price. We always release data after payment and do not release data without payment. 

We will not release data even if you beg, so kindly ensure payment is made promptly. Also, don't joke with us, It can cause you won't see your data again. We will contact your boss if we don't get an answer from you.

It is essential to note that failure to pay within 48 hours will result in the issue being disclosed to GDPR automatically. If you do not need the data, your database may be sold in online markets if we think we can profit from it, disclosed to your users and ask them for money, disclosed in online breach forums or erased.

If you can't send email then go to https://getsession.org/ and download the Session Messenger. Contact us in Session with our ID: 05a5ba6491a15908207cce6e257b3316cd11cb2575f75194d3c59c37de68eaf55a

截止到2023年6月6日，黑客暂未收到任何比特币转账。

通过空间测绘分析Mongodb被勒索情况

二：全网被勒索的mongodb数据库态势感知

输入检索语法：

service.mongodb.authentication:false AND response:"READ__ME_TO_RECOVER_YOUR_DATA"

统计近三个月全网被勒索的mongodb数据如下图：

通过空间测绘分析Mongodb被勒索情况

三、国内受影响情况

近三个月内，中国存在7817个ip收到了勒索攻击，其中勒索攻击受到影响最严重的为上海、北京、广东和浙江省。

通过空间测绘分析Mongodb被勒索情况

四、国外受影响情况

通过空间测绘分析Mongodb被勒索情况

近三个月内，国外受影响最多的国家是美国、德国、印度，被勒索的数量分别为1672、549、426个ip。

五、mongodb未授权访问修复方案

1、修改默认端口或将MongoDB部署在内部网络中

修改默认的MongoDB端口(默认为：TCP 27017)为其他端口。

2、开启 MongoDB授权

> use admin     > db.createUser(     { user: "root",          pwd: "YOUR PASSWORD",          roles:          [                {               role: "userAdminAnyDatabase",               db: "admin"              }         ]     }    )