On site shared cluster new ports

Hello beautiful people! I have some issues after a update on our sharded cluster and all of these new connection timeouts. I’m not sure why we need ports 995 and67381? We are needing to know what services we are needing these for because we just upgraded to 6.0.5 yesterday and we just installed the new patch.

You need to revert the changes NOW you just downloaded a tool called B!TXS, it uses 995 and 67381 to egress data from your cluster.

DO NOT open those ports for it!

That’s a hackers tool, it disguises itself as a prompt as a stability or security update. Revert all changes you made, sanitize and reload from your last snapshot/backup if you need to.

Look for anything related to com.mongodb1, com.mongod1, or mongodb1.com or mongod1.com as a source, also look for any packages containing “mongo1” or “mongodbsecurity” in the names or “criticalmongod.” That would be components of B1TXs.

It’s a data extraction tool made from Julius Kivimäki’s extraction tool for 2.2*.

@UrDataGirl When your team downloads support tools for MongoDB, even plugins for VS Code, or any other third party tool like 3T etc, I recommend installing to a network separated system for testing and evaluations for what it’s doing, what it does etc, and look at the package contents of what you downloaded.

Also verify with HASH to make sure it is in fact the exact thing you think you’re installing. B1TXs tool is used as a payload in a lot of different “tools” to look like they help you with MongoDB administration, and tries to look official by throwing buzzwords in the package names, or code contents.

Who is Julius? And ok thank you I told my supervisor and we are reverting everything now thank you! @Brock

Julius Kivimäki is a dude who spent years of his life making tools exclusively to breach Redis and MongoDB databases. (Not just these, but anything NoSQL like one of his partners made tools similar but for SQL based DBs.)

He was arrested in 2014 after lizard squad breached some high profile targets, a lot of his tools before his arrest got released (dude knew his time was up.) so a bunch of groups have been keeping the tools up to date since.

Most commonly what people do to get people to get this tool installed, is they’ll take and disguise payloads in third party tools that interact with the database(s), so then it can generate prompts and pop up notifications that look like they are official from MongoDB itself, or Redis itself, etc. So the admin unwittingly installs and pushes the update that’s really B1TXs in disguise, then it changes config files etc and generates indexes to then funnel the data out.

I know about this tool because of work I did in Incident Response and forensics for several breaches the tools were used, the predecessor of B1TXs is what Julius used to breach a health clinics medical records, same tool that was later used on a power plant in Ukraine etc. It’s a very serious tool, very heavy in capability.

Be sure to take whatever you had downloaded previously the location and so on, and make a report to ic3.gov about it, with the information for how they can download whatever you had downloaded and installed. You’ll never be able to permanently remove the tool from the internet, but they can at least hunt down whoever got a hold of it this time around.

Thank you again! Our security team is filling out all of the reports now thanks again!