An estimated 35,000 Elasticsearch clusters exposed to the public Internet are potential victims to a series ransom attacks that have already hit over 33,000 MongoDB databases.
The attacks, which security researchers Victor Gevers and Niall Merrigan call a “ransack,” have been ongoing for the past several weeks, but targeted only MongoDB databases until late. To conduct the attack, adversaries discover exposed, insecure databases, (supposedly) steal their contents, and then demand a ransom to return the data.
Given that multiple hackers joined the campaign in an attempt to cash in on the existence of databases that haven’t been properly secured, 34,000 MongoDB instances had been impacted as of Thursday. Victor Gevers, the researcher who first discovered the attack, told SecurityWeek earlier this week that all of the insecure databases could be ransacked within the next couple of weeks, or earlier.
Now, it appears that the attackers have expanded their targets to Elasticsearch instances, with over 600 hosts hit to date. Ransomware has already proven a highly profitable business for many, and it’s no wonder that crooks are looking for a wider attack surface, given that the MongoDB space is becoming crowded.
According to a tweet from John Matherly, founder of Shodan, there are approximately 35,000 Elastic servers exposed to the Internet, and that number certainly looks highly appealing to any hacker. The majority of these servers are on Amazon Web Services, and the company has already started sending out emails to warn customers about the attack, it seems.
What’s yet uncertain is whether the Elasticsearch ransack campaign was started by actors involved in the MongoDB massacre or not. Based on information posted by victims, the modus operandi is certainly identical: insecure instances are hacked and data replaced with a note informing the owner to send payment to a Bitcoin address and then email the attacker to retrieve the data.
As Elastic explains, “Elasticsearch is a distributed, RESTful search and analytics engine” that “centrally stores your data.” Unlike MongoDB instances, which offer no form of security by default, Elasticsearch installations bind to localhost by default, thus keeping them away from unauthorized access.
With an increasing number of unsecured, Internet-accessible instances popping up, and with all of them being potential targets for ransom attacks, owners should consider securing them as soon as possible. Elastic has already published a blog post to signal the risk of leaving servers exposed to the Internet and to provide instructions on how to secure them.
While running Elasticsearch on an isolated non-routable network is ideal, the company admits that there are instances where the cluster has to be accessible over the Internet. In such cases, Elastic says, admins should restrict access to the cluster via firewall, VPN, reverse proxy, or other technology. Customers using Elastic Cloud aren’t affected, the company says.
Itamar Syn-Hershko, Elastic consulting partner, also provides details on what can be done to secure clusters. What’s more, he explains why some of the actions that admins take, or settings they go for, aren’t always a good idea from a security point of view.
“Whatever you do, never expose your cluster nodes to the web,” he says. “Your cluster should never-ever be exposed to the public web,” he continues.
While only insecure MongoDB and Elasticsearch installations appear to have been targeted so far, it might not be too long before other types of databases start being attacked as well. As BinaryEdge found a while ago, over 1 petabytes of data is exposed online due to misconfigured Redis (REmote DIctionary Server), MongoDB, Memcached, and Elasticsearch installations.