MongoDB Servers Wiped, Ransom Notes Left

Hackers are launching automated attacks that have left thousands of MongoDB servers wiped after discovering them exposed on the public internet without authentication. Using simple scanning tools, threat actors identify databases running on port 27017, delete stored information, and leave behind ransom notes demanding payments of $500 to $600 in Bitcoin. Recent analyses reveal that nearly 46% of compromised MongoDB instances contain active ransom demands.

Flare researchers observed that one Bitcoin wallet received 98% of payments, signaling coordination by a dominant threat group. Over 3,100 fully exposed MongoDB databases remain vulnerable, with the root cause often traced to misconfigured deployments using insecure Docker images. Some containers bind database services to all interfaces without enabling access controls, leading to immediate exposure.

Security experts urge organizations to audit deployments, enforce authentication, and block public port access. Left unresolved, these misconfigurations could lead to more MongoDB servers wiped by similar campaigns.

Read the full report: https://cybersecuritynews.com/mongodb-instances-hacked/