Hackers that hit MongoDB installs now switch on exposed Elasticsearch clusters

The hackers that targeted MongoDB installations with ransom attacks now switch on the exposed Elasticsearch clusters with a similar tactic.

A few days ago I reported the news of a string of cyber attacks against MongoDB databases. Hackers broke into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.

Now it seems that the same hackers have started targeting Elasticsearch clusters that are unprotected and accessible from the internet.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Crooks are targeting Elasticsearch cluster with ransom attacks in the same way they have made with MongoDB.

The news was reported on the official support forums this week, a user who was running a test deployment accessible from the internet reported hackers removed all the indices and added a new index “warning” was created there.

The user has found the following text from the raw index data:

“SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS…”

Something quite similar to the recent ransom attacks against MongoDB.

“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom. Although no malware, or “ransomware” was used in these attacks, and they are not related to product vulnerabilities, they nonetheless represent serious security incidents involving a data loss, or even a data breach.” reads the description of the discussion in the official forum. “The good news is that data loss from similar attacks is easily preventable with proper configuration.” 

According to the security researcher Niall Merrigan,  more than 600 Elasticsearch clusters have been targeted by the hackers.

Unfortunately, the number of internet-accessible Elasticsearch installs are much greater, roughly 35,000. The experts believe that the number of wiped Elasticsearch installs would rapidly increase, has it has happened for the MongoDB databases.

It is important to protect Elasticsearch clusters exposed on the Internet as soon as possible, there is no reason to expose them.

Researchers from the company Itamar Syn-Hershko have published a blog post that includes recommendations for securing Elasticsearch installations.

“Have a Single Page Application that needs to query Elastic and get jsons for display? Pass it through a software facade that can do request filtering, audit-logging and most importantly, password-protect your data,” states the blog post. “Without that, (a) you are for sure binding to a public IP and you shouldn’t, (b) you are risking unwanted changes to your data, (c) and the worst – you can’t control who accesses what and all your data is visible for all to see. Just what’s happening now with those Elasticsearch clusters.”

The experts suggest disabling the features that users don’t need such as dynamic scripting with non-sandboxed languages (mvel, groovy) used in old versions.

As usual, let me suggest you to avoid paying, but report the incident to law enforcement.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Elasticsearch , hacking)

[adrotate banner=”13″]