A new study from the Comparitech research team, led by Bob Diachenko, found that attackers can find unprotected servers faster that websites can index them. Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real-time. It is generally used as the underlying engine/technology that powers applications that have complex search features and requirements. Comparitech’s research team left an Elastisearch server exposed on the Internet for 11 days, which was probed by attackers only 8.5 hours after deployment, and averaged 18 attacks per day. Before being indexed by search engines, the server was hit more than 36 times which indicates that attackers are not waiting for servers to appear on public resources. The research company stated that some of the hits could be from security researchers looking for open servers. From the attacks observed, many of the attackers were attempting to install a crypto miner. Other attackers tried to use old exploits to either steal admin passwords, cryptojacking, or to perform a ransom-based attack.
Unprotected Elasticsearch servers have caused billions of records to be leaked. The information stolen from them can be used for phishing attacks, account hijacking or identity theft. To prevent an Elasticsearch server from being left exposed, administrators should make sure that authentication is enabled, and strong credentials are used. Also, TLS should be enabled to ensure data encryption when transiting the network. It is also advisable to use a penetration testing service to proactively search for security flaws so they can be patched before a breach happens.
To read more: https://www.bleepingcomputer.com/news/security/hackers-are-quick-to-notice-exposed-elasticsearch-servers/
To secure Elasticsearch servers: https://www.elastic.co/blog/how-to-prevent-elasticsearch-server-breach-securing-elasticsearch#secure-elasticsearch