4 minutes read

Large eAccounting Data Breach in Mexico

By
Bob Diachenko

Bob Diachenko

Large eAccounting Data Breach in Mexico

On January 22, 2019, we have identified a passwordless MongoDB database with almost 5 Million records labeled as CFDI  (short for Comprobantes Fiscal Digital por Internet) – the electronic billing schema defined by the Mexican federal tax code.

While the owner of the database was not immediately visible, we started to analyze the data samples in order to find out who left it unattended and alert the company.

Among other info, a 6GB database contained 70 collections named after a company’s Mexican TAX ID. Each collection had different number of documents (the biggest one had 657K documents), with all information you would expect from eAccounting database.

Some invoices were payroll documents, with personal details of a person, incl. CURP, national social security numbers, salary rate etc. We have identified the following 41 companies which had its data exposed in the unprotected database:

No.EMISORNo of docs exposed in database
1GENERAL DE SEGUROS, S.A.B.657300
2CARL ZEISS VISION MANUFACTURA DE MEXICO S. DE RL DE CV539211
3Cummins Grupo Industrial, S. de R.L. de C.V.415051
4FARMACON S.A. DE C.V.335960
5OPERADORA DE HOSPITALES ENGELES, S.A. DE C.V.242413
6FANOSA, S A DE C V192445
7ALPHABET DE MEXICO SA DE CV172019
8ITESO AC168145
9FUGRA SERVICIOS, S.A. DE C.V145997
10AUMA SERVICIOS, S.A. DE C.V.115236
11ALPHABET DE MEXICO DE MONCLOVA SA DE CV107626
12AUMA LERMA SERVICIOS, S.A. DE C.V.100263
13ARRIS GROUP DE MEXICO SA DE CV93542
14AUMA SALT SERVICIOS, S.A. DE C.V.88916
15BOCAR SERVICIOS, S.A. DE C.V.82069
16Servicios Profesionales Petroleros, S de RL De CV76150
17PRIME WHEEL MEXICO S. DE R.L. DE C.V.67771
18PULIDORA DE BAJA CALIFORNIA, S.A. DE C.V.65774
19PLASTIC SERVICIOS, S.A. DE C.V.65042
20THYSSENKRUPP COMPONENTS TECHNOLOGY DE MEXICO S.A. DE C.V.61235
21Service Zone, S. de R.L. de C.V.41999
22MERSEN DE MEXICO JUAREZ, S.A. DE C.V.41119
23TERMOCONTROLES DE JUAREZ S.A. DE C.V.39914
24DIGITAL APPLIANCE CONTROLS DE MEXICO, S.A. DE C.V.34613
25PLM PREMIER SAPI DE CV27797
26KALISCHATARRA S DE RL DE CV21694
27LIBERTY CARTON DE MEXICO S DE RL DE CV20506
28AUMA SAN LUIS SERVICIOS, S.A. DE C.V.19271
29AUMA QUERETARO, S.A. DE C.V.18099
30PLASTIC SERVICIOS SLP, S.A. DE C.V.14979
31GBT Servicios Profesionales S. de R.L. de C.V.14021
32ARCELORMITTAL SERVICIOS DE MONTERREY SA DE CV12505
33TYCO ELECTRONICS MEXICO, S. DE R.L DE C.V.10407
34SERVICIOS MEXICANOS DE MANUFACTURA S DE RL DE CV8004
35TEQUILA DON JULIO SERVICIOS, S.A. DE C.V.7503
36LP LOGISTICA EN RECURSOS HUMANOS S DE RL DE CV2822
37HASMEX SERVICIOS SA DE CV2320
38ZONE COMPRA S DE RL DE CV2296
39CLUB GALLOS BLANCOS, S.A. DE C.V.2160
40MSSL WIRINGS JUAREZ SA DE CV1968
41PROFUTURO GNP, S.A DE C.V., SOFOM, E.N.R.1618

We have reached to one of the company from the list and they also helped a lot to identify the owner of the database. As of today, database has been pulled offline, investigation is in progress, so we cannot share more than it is filed here.

Danger of having exposed MongoDB or similar NonSql databases is huge. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the  MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

These attacks are able to occur because the MongoDB database is remotely accessible and not properly secured. This means that these attacks are easily prevented by following fairly simple steps in securing the database instance.

Unfortunately, in this case the bad scenario took place – after almost 48 hours of being exposed to the public Internet, database had been kidnapped, with a ransom note demanding 0.5BTC to return the data.

We have logs and screenshots of the database which show the activity of the malicious IP that is deleting data in database and putting ransom note instead. There is a high chance that documents were compromised. We are now in touch with INAI Mexico and ready to assist in the ongoing investigation with the information we have.

This article will be updated if/when more information available.

About author and security researcher:

Bob Diachenko has over 12 years experience working in corporate/product/internal communications with a strong focus on infosecurity, IT and technology. In the past Bob has worked with top tier media, government agencies, and law enforcement to help secure exposed data. Follow Bob on Twitter and his blog on Linkedin, Email: [email protected]