The hackers that targeted MongoDB installations with ransom attacks now switch on the exposed Elasticsearch clusters with a similar tactic.
A few days ago I reported the news of a string of cyber attacks against MongoDB databases. Hackers broke into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.
Now it seems that the same hackers have started targeting Elasticsearch clusters that are unprotected and accessible from the internet.
Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.
Crooks are targeting Elasticsearch cluster with ransom attacks in the same way they have made with MongoDB.
The news was reported on the official support forums this week, a user who was running a test deployment accessible from the internet reported hackers removed all the indices and added a new index “warning” was created there.
The user has found the following text from the raw index data:
“SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS…”
Something quite similar to the recent ransom attacks against MongoDB.
“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom. Although no malware, or “ransomware” was used in these attacks, and they are not related to product vulnerabilities, they nonetheless represent serious security incidents involving a data loss, or even a data breach.” reads the description of the discussion in the official forum. “The good news is that data loss from similar attacks is easily preventable with proper configuration.”
According to the security researcher Niall Merrigan, more than 600 Elasticsearch clusters have been targeted by the hackers.
Unfortunately, the number of internet-accessible Elasticsearch installs are much greater, roughly 35,000. The experts believe that the number of wiped Elasticsearch installs would rapidly increase, has it has happened for the MongoDB databases.
It is important to protect Elasticsearch clusters exposed on the Internet as soon as possible, there is no reason to expose them.
Researchers from the company Itamar Syn-Hershko have published a blog post that includes recommendations for securing Elasticsearch installations.
“Have a Single Page Application that needs to query Elastic and get jsons for display? Pass it through a software facade that can do request filtering, audit-logging and most importantly, password-protect your data,” states the blog post. “Without that, (a) you are for sure binding to a public IP and you shouldn’t, (b) you are risking unwanted changes to your data, (c) and the worst – you can’t control who accesses what and all your data is visible for all to see. Just what’s happening now with those Elasticsearch clusters.”
The experts suggest disabling the features that users don’t need such as dynamic scripting with non-sandboxed languages (mvel, groovy) used in old versions.
As usual, let me suggest you to avoid paying, but report the incident to law enforcement.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.