Gootkit Group Left Databases Exposed Online Without Passwords (Sep 17, 2019)
The threat actors behind the “Gootkit” trojan left their MongoDB databases misconfigured and connected to the internet without a password for about one week in July 2019. This oversight allowed security researcher Bob Diachenko to download the group's data and gain an insight into their operations. Gootkit's main functions are focused on stealing data from browsers, and can extract and exfiltrate data such as browsing history, cookie files, and passwords from multiple browser types. The content found within the two databases was aggregated data from three Gootkit sub-botnets, with a total of 38,653 infected hosts. Approximately 15,000 payment card details were stored in plaintext, as well as online user credentials for a variety of sites, with over two million entries. Diachenko said he found the servers on July 4, noted they were both taken down by July 10, and the servers have not leaked further information. A copy of the data was provided to law enforcement authorities.
Recommendation: Webmasters sometimes discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.