Over 12,000 MongoDB Databases Deleted by Unistellar Attacks (May 17, 2019)
Researchers have identified a campaign targeting publicly-accessible “MongoDB” databases and deleting their contents. The threat actor(s) behind this campaign, called “Unistellar,” is not demanding a ransom to give back the deleted data, as other campaigns targeting MongoDB have been observed to do, and instead provides an email address to communicate with. Researchers estimate that approximately 12,000 misconfigured MongoDB databases have been deleted over the past three weeks. At the time of this writing, it is unknown if affected database administrators have been paying Unistellar to restore database contents.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured database has the potential to cause significant harm to individuals and a company’s reputation.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.