2 min Security

Unsecured MongoDB databases expose Kremlin’s back door to Russian companies

Unsecured MongoDB databases expose Kremlin’s back door to Russian companies

Dutch security researcher Victor Gevers found an account that the Kremlin used to grant itself access to the servers of local and foreign companies operating in Russia. The account was found in thousands of MongoDB databases that appeared to be accessible online without a password.

Gevers spoke to the site ZDNet and told about the back door account he found. He argues that, if any hacker had found this account, they would have been able to access the sensitive information of thousands of companies operating in Russia. The first time I found the credentials was in the user table of a Russian Lotto site, Gevers said during the interview. I had to do some digging to understand that the Kremlin requires remote access to systems that process financial transactions.

More than 2,000 databases

The researcher states that he found the same admin@kremlin.ru-account in more than 2,000 other MongoDB databases. All of them were exposed online and belonged to local and foreign companies operating in Russia. These included databases of local banks, financial institutions, telecom companies and even Disney Russia. That looked like this:

Screenshot made by Victor Gevers

Gevers even found the account in a Mongolian DB database belonging to the Ukrainian Ministry of the Interior, which contained information about the ERDR investigations that were carried out on corrupt politicians in the country. That is remarkable, because Russia and Ukraine have been in conflict for some years.

In his investigation, Gevers did not find out what the account was used for. As a whitehat hacker, he only researched leaking MongoliaDB databases and tries to respect privacy as much as possible in his research, by minimizing the search for information such as owners’ email addresses. All systems with this password were accessible to everyone anyway. The MongoDB databases were all rolled out with default settings. So anyone without authentication had access to CRUD [Create, Read, Update, Delete].

It has taken us quite some time and effort to contact the Kremlin and warn about the problem. But we never succeeded. At the same time, the message seems to have got through. We still discover Russian databases of companies, but these credentials have not been found in recent months, says Gevers.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.