Posted on April 3, 2020 at 12:48 PM
15,000 Elasticsearch Servers Deleted and Defaced by a Hacker
Reports revealed that a hacker has been exploiting the Elasticsearch servers for the past two weeks. While the hacker was trying to break into the system, he also diverted the blame by pinning the Night Lion security firm for the attack.
John Wethington, a British security researcher, discovered the activities of the hacker and reported immediately. According to him, the first wave of attack on Elasticsearch started on March 24.
The researcher said the attack seems to have been perpetrated using an automated script that scans the internet to look for unprotected ElasticSearch systems. Once the hacker finds these unprotected systems, he tries connecting to the database and attempts to delete their content. After deleting the content on the compromised server, it installs a new index known as nightlionsecurity.com.
Attacking method not always successful
Wethington revealed that although the attacker has been successful in some instances, the attacking script does not work every time.
Nonetheless, the wiping pattern is obvious on many Elasticsearch servers. Because of the highly unstable data stored in the servers, it’s difficult to say exactly the number of systems the hacker was able to compromise.
The founder of Night Lion security firm, Vinny Troia, said the firm has no hand in the hacking activity on ElasticSearch servers. He pointed out that the real perpetrator was only trying to drag the firm in, saying it has no idea about any hack on the Elasticsearch server.
Troia was interviewed by DataBreaches.net last week. During the interview, he said the hacker could have been perpetrated by a hacker the firm has been monitoring for the past few years. According to him, the hacker probably decided to divert blame because he wants the security firm to get off his back. Troia said he is even writing a book, with most of the contents detailing the activities of the hacker for the past few years.
Initially, the attack on ElasticSearch on March 26 looked like a trick, it’s now considered very serious as the hacker can some damages.
BinaryEdge security researchers stated that the number of attacks has increased exponentially. Before the first interview, only about 150 Elasticsearch servers were defaced. However, the numbers have grown speedily as the server where the index of nightlionsecurity.com is present has grown to over 15,000.
When you consider the number of exposed Elasticsearch servers on the public server, it’s obvious that the defaced server is extremely large. According to BinaryEdge, there were about 34,500 Elasticsearch servers exposed on the public internet. If 15,000 of this number are infiltrated, then the matter is a very serious one.
Law enforcement was notified immediately
Troia said he immediately contacted the Elastic security team as soon as he discovered the breach. He said the firm is currently investigating the numbers of attacked servers.
Presently, Wethington is making a list of all the servers affected by the attack, and it’s trying to find out which companies have had their servers disrupted.
A second hacker has been identified
When Wethington was looking into the problem, he discovered that there is another hacker involved, and he is also interested in the Elasticsearch servers. The second attacker breached the unsecured servers with a message to the victims that their server has been compromised. The message asks the victims to contact them via email.
However, this second attack is still on a small scale as the hacker has succeeded in breaching only 40 servers.
Similar attacks have occurred in the past
This is not the first time Elasrticsearch or other servers have been attacked. In 2017, several hacker syndicates who are specialists in database ransom attacks engaged several database technologies, including Elasticsearch. As a result, several thousands of Elasticsearch data was deleted that period, with message and ransom asking owners to pay to recover their data. But the victims were not aware that the data was deleted and not stolen.