Threat Watch

Unprotected Elasticsearch Servers Being Wiped

Over the course of the past two weeks, an unknown hacker has been breaking into unprotected Elasticsearch servers and deleting all of the data. These attacks seem to have started around March 24th according to security researcher John Wethington. It looks like the attacks are being carried out with the help of an automated script that scans for unprotected Elasticsearch servers, connects the databases, tries to wipe the contents and then creates an empty index named “nightlionsecurity[.]com.” Fortunately, the attack doesn’t work in all scenarios because there have been a number of servers with data still intact that include the nightlionsecurity[.]com index. Night Lion Security is a security firm; its owner, Vinny Troia, has denied that his company is behind the attacks and states that he believes a hacker he’s been tracking for years is responsible. The number of affected Elasticsearch servers has increased since March 26th from 150 to over 15,000 Elasticsearch servers with the nightlionsecurity[.]com index on them. Law enforcement officials have been notified of this activity and the Elasticsearch security team is now aware of the growing number of affected servers. It appears that another attacker is also targeting unsecured Elasticsearch servers and leaving a note asking the database owner to contact the attacker by email. Approximately 40 servers appeared to have been affected by that attack.

ANALYST NOTES

Companies that use Elasticsearch servers should check to see if their server is protected properly. At a minimum, a username and strong password should be configured to control access to the server, and it should be configured to use TLS encryption for all network communication. A guide to enabling the security controls for Elasticsearch can be found here: https://www.elastic.co/blog/how-to-prevent-elasticsearch-server-breach-securing-elasticsearch. All data should be backed up and restored regularly in case of instances such as these where the server’s content is completely wiped. In previous attacks against Elasticsearch servers, attackers demanded a ransom payment and promised to restore data, but the attackers simply took the money and never provided a copy of the data in return.

Source: https://www.zdnet.com/article/a-hacker-has-wiped-defaced-more-than-15000-elasticsearch-servers/?&web_view=true