Threat actor group behind Gootkit malware left their MongoDB databases exposed to the internet

• The databases included MongoDB collections named “Luhnform” that contained plain text passwords, configuration details, bank accounts, email account logins, online shops, credit card details, and more.
• Altogether there were 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames.

What was found?

Security researcher Bob Diachenko uncovered two unprotected MongoDB databases that were publicly accessible over the internet.

Contents of the open databases

After examining the data, the researcher found out that the databases belong to a criminal gang behind the Gootkit malware.

• As per the report by ZDNet, the two MongoDB databases contained data that were aggregated from three Gootkit sub-botnets and a total of 38,653 infected hosts.
• The databases included MongoDB collections named “Luhnform” that contained plain text passwords, configuration details, bank account details, email account logins, credit card details, and more.
• Almost 15,000 entries related to payment card data were found exposed in the databases.
• The researchers also found another MongoDB collection named “Windowscredentials” that contained passwords of Windows users.
• Altogether there were 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames.
• Apart from these, the MongoDBs also contained configuration files and system information such as internal and public IP addresses, hostnames, domain names, CPU details, memory details, OS details, OS installation dates, MAC addresses, browser details, and more.

“Passwords and configuration pairs: online shops, emails, banking applications, streaming and other online services, internal network passwords, and many more,” Diachenko said in a blog.

Worth noting

Diachenko noted that he discovered the unprotected databases on July 4, 2019, and within a week both the databases were found to be secured by July 10, 2019. However, Diachenko provided a copy of the data to law enforcement authorities.