**Hackers Exploit Unsecured MongoDB Instances to Wipe Data and Demand Ransom**

As cybersecurity threats continue to rise, a concerning trend has been observed in the hacking community. A staggering number of unsecured MongoDB instances have fallen prey to malicious hackers, who have not only compromised the data but also left ransom notes demanding payment in Bitcoin.

A recent report by Flare highlights the alarming extent of this issue, revealing that over 1,400 exposed MongoDB servers have been hijacked and wiped. The cybersecurity firm estimates that approximately 45.6% of the 3,100 fully exposed servers were compromised, with their databases erased and replaced with ransom notes.

The hackers' modus operandi is strikingly similar, with nearly all cases involving a ransom demand of around $500 in Bitcoin. What's more astonishing is that the same Bitcoin address appears in over 98% of these instances, strongly suggesting that a single attacker is responsible for this large-scale operation.

Flare notes that while over 200,000 MongoDB servers are publicly visible, the biggest risk lies with those left online without proper access controls. According to their analysis, more than 100,000 instances disclosed operational information, but only around 3,100 were fully exposed to the internet without restrictions.

The report warns that a single pre-authentication remote code execution (RCE) zero-day vulnerability in MongoDB could have catastrophic consequences, exposing hundreds of thousands of servers and turning them into "well-oiled ransom machines" capable of operating at massive scale. For this reason, Flare strongly recommends applying the prevention and hardening best practices outlined above to mitigate this risk.

Some interesting findings from the report include:

* **Over 95,000 servers had at least one vulnerability**, but most were only denial-of-service (DoS) vulnerabilities. * **Misconfiguration is the primary enabling factor** for these attacks, rather than exploitation of known vulnerabilities. * **Only five distinct Bitcoin wallets were observed across all incidents**, with a single wallet appearing in over 98% of cases.

While some servers may have paid the ransom, putting possible earnings between $0 and $842,000, it's essential to remember that paying hackers only emboldens them. The best course of action remains prevention and preparedness.

The Flare report emphasizes the importance of proper access controls and configuration in preventing such attacks. By taking proactive measures, organizations can minimize their exposure to these types of threats and maintain the integrity of their sensitive data.

Stay vigilant, stay informed – follow us on Twitter (@securityaffairs) and Facebook for the latest news and updates from the cybersecurity world!