On January 22, 2019, we have identified a passwordless MongoDB database with almost 5 Million records labeled as CFDI (short for Comprobantes Fiscal Digital por Internet) – the electronic billing schema defined by the Mexican federal tax code.
While the owner of the database was not immediately visible, we started to analyze the data samples in order to find out who left it unattended and alert the company.
Among other info, a 6GB database contained 70 collections named after a company’s Mexican TAX ID. Each collection had different number of documents (the biggest one had 657K documents), with all information you would expect from eAccounting database.
Some invoices were payroll documents, with personal details of a person, incl. CURP, national social security numbers, salary rate etc. We have identified the following 41 companies which had its data exposed in the unprotected database:
| No. | EMISOR | No of docs exposed in database |
| 1 | GENERAL DE SEGUROS, S.A.B. | 657300 |
| 2 | CARL ZEISS VISION MANUFACTURA DE MEXICO S. DE RL DE CV | 539211 |
| 3 | Cummins Grupo Industrial, S. de R.L. de C.V. | 415051 |
| 4 | FARMACON S.A. DE C.V. | 335960 |
| 5 | OPERADORA DE HOSPITALES ENGELES, S.A. DE C.V. | 242413 |
| 6 | FANOSA, S A DE C V | 192445 |
| 7 | ALPHABET DE MEXICO SA DE CV | 172019 |
| 8 | ITESO AC | 168145 |
| 9 | FUGRA SERVICIOS, S.A. DE C.V | 145997 |
| 10 | AUMA SERVICIOS, S.A. DE C.V. | 115236 |
| 11 | ALPHABET DE MEXICO DE MONCLOVA SA DE CV | 107626 |
| 12 | AUMA LERMA SERVICIOS, S.A. DE C.V. | 100263 |
| 13 | ARRIS GROUP DE MEXICO SA DE CV | 93542 |
| 14 | AUMA SALT SERVICIOS, S.A. DE C.V. | 88916 |
| 15 | BOCAR SERVICIOS, S.A. DE C.V. | 82069 |
| 16 | Servicios Profesionales Petroleros, S de RL De CV | 76150 |
| 17 | PRIME WHEEL MEXICO S. DE R.L. DE C.V. | 67771 |
| 18 | PULIDORA DE BAJA CALIFORNIA, S.A. DE C.V. | 65774 |
| 19 | PLASTIC SERVICIOS, S.A. DE C.V. | 65042 |
| 20 | THYSSENKRUPP COMPONENTS TECHNOLOGY DE MEXICO S.A. DE C.V. | 61235 |
| 21 | Service Zone, S. de R.L. de C.V. | 41999 |
| 22 | MERSEN DE MEXICO JUAREZ, S.A. DE C.V. | 41119 |
| 23 | TERMOCONTROLES DE JUAREZ S.A. DE C.V. | 39914 |
| 24 | DIGITAL APPLIANCE CONTROLS DE MEXICO, S.A. DE C.V. | 34613 |
| 25 | PLM PREMIER SAPI DE CV | 27797 |
| 26 | KALISCHATARRA S DE RL DE CV | 21694 |
| 27 | LIBERTY CARTON DE MEXICO S DE RL DE CV | 20506 |
| 28 | AUMA SAN LUIS SERVICIOS, S.A. DE C.V. | 19271 |
| 29 | AUMA QUERETARO, S.A. DE C.V. | 18099 |
| 30 | PLASTIC SERVICIOS SLP, S.A. DE C.V. | 14979 |
| 31 | GBT Servicios Profesionales S. de R.L. de C.V. | 14021 |
| 32 | ARCELORMITTAL SERVICIOS DE MONTERREY SA DE CV | 12505 |
| 33 | TYCO ELECTRONICS MEXICO, S. DE R.L DE C.V. | 10407 |
| 34 | SERVICIOS MEXICANOS DE MANUFACTURA S DE RL DE CV | 8004 |
| 35 | TEQUILA DON JULIO SERVICIOS, S.A. DE C.V. | 7503 |
| 36 | LP LOGISTICA EN RECURSOS HUMANOS S DE RL DE CV | 2822 |
| 37 | HASMEX SERVICIOS SA DE CV | 2320 |
| 38 | ZONE COMPRA S DE RL DE CV | 2296 |
| 39 | CLUB GALLOS BLANCOS, S.A. DE C.V. | 2160 |
| 40 | MSSL WIRINGS JUAREZ SA DE CV | 1968 |
| 41 | PROFUTURO GNP, S.A DE C.V., SOFOM, E.N.R. | 1618 |
We have reached to one of the company from the list and they also helped a lot to identify the owner of the database. As of today, database has been pulled offline, investigation is in progress, so we cannot share more than it is filed here.
Danger of having exposed MongoDB or similar NonSql databases is huge. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.
These attacks are able to occur because the MongoDB database is remotely accessible and not properly secured. This means that these attacks are easily prevented by following fairly simple steps in securing the database instance.
Unfortunately, in this case the bad scenario took place – after almost 48 hours of being exposed to the public Internet, database had been kidnapped, with a ransom note demanding 0.5BTC to return the data.
We have logs and screenshots of the database which show the activity of the malicious IP that is deleting data in database and putting ransom note instead. There is a high chance that documents were compromised. We are now in touch with INAI Mexico and ready to assist in the ongoing investigation with the information we have.
This article will be updated if/when more information available.
About author and security researcher:
Bob Diachenko has over 12 years experience working in corporate/product/internal communications with a strong focus on infosecurity, IT and technology. In the past Bob has worked with top tier media, government agencies, and law enforcement to help secure exposed data. Follow Bob on Twitter and his blog on Linkedin, Email: [email protected]