To our greatest concern, the services we use daily often become part of data breaches and data leaks, in which our personal details are exposed to cybercriminals. Banks, airlines, hotels, various organizations put our information at risk in databases that are left unsecured.
What happens when one of the most advanced banking Trojans discovered in the wild has its databases exposed? Well, we are about to find out. Apparently, Bob Diachenko, a cybersecurity researcher came across two open and publicly accessible MongoDB instances that appear to be part of the Gootkit network.
More about the Gootkit Banking Trojan
Last year, the Gootkit operators found a way to exploit Mailchimp in spam campaigns to distribute the malicious banking Trojan. The attackers were continuously hacking into MailChimp’s network to send fake invoices and emails ridden with malware. This is an example of a Gootkit malicious operation in action.
Generally, the Trojan has targeted a lot of networks located across Europe, including banks found in France, Switzerland and Austria. What’s particularly dangerous is the malware can also be set against cryptocurrency services. Furthermore, two databases that are used by the hacking collective behind the malware have been leaked.
A security analysis of their structure and a content extraction has revealed further information about the stored information. The experts reveal that the criminal collective behind the threat is actively pulling data from three botnets totaling in about 38,563 compromised hosts.
According to the security analysis, the following sensitive details have been compromised:
- A total of 1,444,375 email accounts;
- A total of 752,645 usernames;
- 2,196,840 passwords and configuration pairs coming from online shops, emails, banking applications, streaming and a variety of online services, as well as internal network passwords.
It is yet to be determined whether the Gootkit cybercriminals forgot to set a password, or if a firewall blocking access to the servers went down. But it’s a fact that something went completely wrong as the two servers were exposed and indexed by several IoT search engines.
What can happen with the user data exposed in the leaky Gootkit databases?
It is noteworthy that botnets such as Emotet and TrickBot have been dealing with something called “install space”. This means that the botnet operators were renting access on infected computers to other hacker collectives. These cybercrminal groups can then use the provided access to drop additional malware on the infected hosts. It appears that so far Gootkit operators haven’t sold install space to other groups.
However, the large number of infected hosts in the exposed databases combined with the large amount of sensitive user details could enable the criminals to do in the future, cybersecurity researchers say.