An unknown hacker erased the database of the popular RSS reader NewsBlur, and then demanded a ransom from the developers in exchange for access to the data.
According to a message that appeared on the company’s home page, the attack affected MongoDB servers and one of five databases the company used. At the same time, NewsBlur founder Samuel Clay wrote that the database was destroyed due to a firewall error, and this happened by his fault during a scheduled database migration.Clay is confident that this incident allowed hacker to gain access to the server, erase its contents and leave a ransom note. Moreover, it took the attacker only three hours to discover an available MongoDB database that accidentally found itself on the network.
Let me remind you that just a few years ago, MongoDB hacks and ransom demands were a very popular tactic among cybercriminals. For example, by mid-2017, attackers had already compromised more than 45,000 databases, and at some point, in addition to MongoDB, they also became interested in ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL.
Although the original hacker groups that practiced such attacks in 2016-2017 stopped after only a few months, since the seizure of the database “hostage” brought them almost no money, experts for a long time discovered new participants in the attacks who also decided to try themselves in extortion.
– Taking a snapshot of the backup taken 3 hours ago (should take 30 minutes) just in case
– Booting the snapshot and replicating to another secondary (~3-4 hours)
Once those two are done, we should be back in business.Samuel Clay wrote in his Twitter.
The incident had already been successfully resolved, as NewsBlur employees were able to restore the database from a backup, which fortunately was at hand.
Let me also remind you that we wrote that Gootkit malware operators left unprotected database in open access.
User Review
( votes)
