Over the course of the past two weeks, an unknown hacker has been breaking into unprotected Elasticsearch servers and deleting all of the data. These attacks seem to have started around March 24th according to security researcher John Wethington. It looks like the attacks are being carried out with the help of an automated script that scans for unprotected Elasticsearch servers, connects the databases, tries to wipe the contents and then creates an empty index named “nightlionsecurity[.]com.” Fortunately, the attack doesn’t work in all scenarios because there have been a number of servers with data still intact that include the nightlionsecurity[.]com index. Night Lion Security is a security firm; its owner, Vinny Troia, has denied that his company is behind the attacks and states that he believes a hacker he’s been tracking for years is responsible. The number of affected Elasticsearch servers has increased since March 26th from 150 to over 15,000 Elasticsearch servers with the nightlionsecurity[.]com index on them. Law enforcement officials have been notified of this activity and the Elasticsearch security team is now aware of the growing number of affected servers. It appears that another attacker is also targeting unsecured Elasticsearch servers and leaving a note asking the database owner to contact the attacker by email. Approximately 40 servers appeared to have been affected by that attack.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in