Large eAccounting Data Breach in Mexico

On January 22, 2019, we have identified a passwordless MongoDB database with almost 5 Million records labeled as CFDI  (short for Comprobantes Fiscal Digital por Internet) – the electronic billing schema defined by the Mexican federal tax code.

While the owner of the database was not immediately visible, we started to analyze the data samples in order to find out who left it unattended and alert the company.

Among other info, a 6GB database contained 70 collections named after a company’s Mexican TAX ID. Each collection had different number of documents (the biggest one had 657K documents), with all information you would expect from eAccounting database.

Some invoices were payroll documents, with personal details of a person, incl. CURP, national social security numbers, salary rate etc. We have identified the following 41 companies which had its data exposed in the unprotected database:

No. EMISOR No of docs exposed in database
1 GENERAL DE SEGUROS, S.A.B. 657300
2 CARL ZEISS VISION MANUFACTURA DE MEXICO S. DE RL DE CV 539211
3 Cummins Grupo Industrial, S. de R.L. de C.V. 415051
4 FARMACON S.A. DE C.V. 335960
5 OPERADORA DE HOSPITALES ENGELES, S.A. DE C.V. 242413
6 FANOSA, S A DE C V 192445
7 ALPHABET DE MEXICO SA DE CV 172019
8 ITESO AC 168145
9 FUGRA SERVICIOS, S.A. DE C.V 145997
10 AUMA SERVICIOS, S.A. DE C.V. 115236
11 ALPHABET DE MEXICO DE MONCLOVA SA DE CV 107626
12 AUMA LERMA SERVICIOS, S.A. DE C.V. 100263
13 ARRIS GROUP DE MEXICO SA DE CV 93542
14 AUMA SALT SERVICIOS, S.A. DE C.V. 88916
15 BOCAR SERVICIOS, S.A. DE C.V. 82069
16 Servicios Profesionales Petroleros, S de RL De CV 76150
17 PRIME WHEEL MEXICO S. DE R.L. DE C.V. 67771
18 PULIDORA DE BAJA CALIFORNIA, S.A. DE C.V. 65774
19 PLASTIC SERVICIOS, S.A. DE C.V. 65042
20 THYSSENKRUPP COMPONENTS TECHNOLOGY DE MEXICO S.A. DE C.V. 61235
21 Service Zone, S. de R.L. de C.V. 41999
22 MERSEN DE MEXICO JUAREZ, S.A. DE C.V. 41119
23 TERMOCONTROLES DE JUAREZ S.A. DE C.V. 39914
24 DIGITAL APPLIANCE CONTROLS DE MEXICO, S.A. DE C.V. 34613
25 PLM PREMIER SAPI DE CV 27797
26 KALISCHATARRA S DE RL DE CV 21694
27 LIBERTY CARTON DE MEXICO S DE RL DE CV 20506
28 AUMA SAN LUIS SERVICIOS, S.A. DE C.V. 19271
29 AUMA QUERETARO, S.A. DE C.V. 18099
30 PLASTIC SERVICIOS SLP, S.A. DE C.V. 14979
31 GBT Servicios Profesionales S. de R.L. de C.V. 14021
32 ARCELORMITTAL SERVICIOS DE MONTERREY SA DE CV 12505
33 TYCO ELECTRONICS MEXICO, S. DE R.L DE C.V. 10407
34 SERVICIOS MEXICANOS DE MANUFACTURA S DE RL DE CV 8004
35 TEQUILA DON JULIO SERVICIOS, S.A. DE C.V. 7503
36 LP LOGISTICA EN RECURSOS HUMANOS S DE RL DE CV 2822
37 HASMEX SERVICIOS SA DE CV 2320
38 ZONE COMPRA S DE RL DE CV 2296
39 CLUB GALLOS BLANCOS, S.A. DE C.V. 2160
40 MSSL WIRINGS JUAREZ SA DE CV 1968
41 PROFUTURO GNP, S.A DE C.V., SOFOM, E.N.R. 1618

We have reached to one of the company from the list and they also helped a lot to identify the owner of the database. As of today, database has been pulled offline, investigation is in progress, so we cannot share more than it is filed here.

Danger of having exposed MongoDB or similar NonSql databases is huge. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the  MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

These attacks are able to occur because the MongoDB database is remotely accessible and not properly secured. This means that these attacks are easily prevented by following fairly simple steps in securing the database instance.

Unfortunately, in this case the bad scenario took place – after almost 48 hours of being exposed to the public Internet, database had been kidnapped, with a ransom note demanding 0.5BTC to return the data.

We have logs and screenshots of the database which show the activity of the malicious IP that is deleting data in database and putting ransom note instead. There is a high chance that documents were compromised. We are now in touch with INAI Mexico and ready to assist in the ongoing investigation with the information we have.

This article will be updated if/when more information available.

About author and security researcher:

Bob Diachenko has over 12 years experience working in corporate/product/internal communications with a strong focus on infosecurity, IT and technology. In the past Bob has worked with top tier media, government agencies, and law enforcement to help secure exposed data. Follow Bob on Twitter and his blog on Linkedin, Email: bob@securitydiscovery.com

 

 

Like this story? Please share it!

About the Author

Bob Diachenko
I'm Bob Diachenko, I am Cyber Threat Intelligence Director and journalist at SecurityDiscovery.com. My goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of my discoveries have been covered in major news and technology media, earning myself a reputation as one of the reputable data security analytics. Contact me: bob(at)securitydiscovery.com