{"id":35873,"date":"2020-07-03T14:58:00","date_gmt":"2020-07-03T14:58:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31358\/MongoDB-Hacker-Threatens-To-Report-Breach-To-GDPR.html"},"modified":"2020-07-03T14:58:00","modified_gmt":"2020-07-03T14:58:00","slug":"mongodb-hacker-threatens-to-report-breach-to-gdpr","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/mongodb-hacker-threatens-to-report-breach-to-gdpr\/","title":{"rendered":"MongoDB Hacker Threatens To Report Breach To GDPR"},"content":{"rendered":"
<\/div>\n
\n

A hacker that uploaded ransom notes on nearly 23,000 MongoDB databases left exposed online without passwords has given his potential victims until tomorrow to pay a $140 ransom, or possibly report the breach to local GDPR authorities.<\/p>\n

According to recent ZDNet story<\/a>, the hacker used an automated script to scan for misconfigured MongoDB<\/a> databases, effectively wiping the content. The hacker then left a ransom note asking for the payment.<\/p>\n

The miscreant threatened to report the breach to the local GDPR authorities within two days if they refused to pay up in two days \u2013 on July 3.<\/p>\n

James McQuiggan, security awareness advocate at KnowBe4, said<\/p>\n

it\u2019s bad enough the victims lost data. Now, an organization has to pay to get the decryption key from the cyber criminals and possibly would need to pay again not to have it leaked to the public.<\/p>\n

\u201cAdding to this challenging incident is the threat of the data and information going to the authorities,\u201d McQuiggan said. \u201cOrganizations familiar with the GDPR realize the fines can be a substantial sum of money and could be detrimental to their profits and possibly loss of reputation with their shareholders. If someone else informs the supervisory authorities, it could cost the organization a significant amount of money versus them just reporting it themselves.\u201d<\/p>\n

Brandon Hoffman, CISO at Netenrich, said while there may be some altruistic component of this attack, based on previous activity from similar attacks (not against MongoDB), Hoffman views the GDPR tactic as an extension of the threat.<\/p>\n

\u201cThe rise in extortion tactics to get the ransom paid, in my mind, makes it clear that it\u2019s simply another technique in the same playbook,\u201d Hoffman said. \u201cWere this truly a hacktivism related threat, there would be some other clear motivation tied to a political or social movement and almost certainly there wouldn\u2019t be such an easy out \u2014 $140 \u2014 from the backlash these companies would receive from GDPR.\u201d<\/p>\n

 Andrew Barratt, head of investigations at Coalfire, said this wasn\u2019t altruism, it was naivety.<\/p>\n

\u201cThe intruder was incredibly na\u00efve to think they can extort a company with a regulatory disclosure from their criminal attack,\u201d Barratt said. \u201cImagine a car thief stealing your car, then threaten they\u2019ll call your insurance company to tell them  \u2018hey \u2013 the locks were not on the insurer approved list.\u2019\u201d  <\/p>\n

Barratt said it\u2019s clearly a commercial hack. With such a small dollar value, he said the hacker hopes people will just simply pay the ransom.<\/p>\n

\u201cDisclosure to the appropriate supervisory authorities is also an incredibly high- risk maneuver for the criminal with the possibility of being discovered,\u201d Barratt said. \u201cAssuming 23,000 don\u2019t pay out \u2013 reporting to the authorities would require a significant amount of effort. It would require the intruder to confirm which data protection authority in Europe is the one the business identified as their reporting body. It\u2019s a fairly big lift to do that correctly when you\u2019re doing it for your own purposes \u2013 but imagine doing it for all 23,000 entities.\u201d <\/p>\n

Barratt said here\u2019s a snapshot of what the hacker would have to turn over to all the various authorities, assuming he could figure that out:<\/p>\n

A description of the nature of the personal data breach including, where possible:<\/p>\n