360 Total Security Blog

MongoDB attackers hijacked ElasticSearch servers for ransom

ElasticSearch, the most popular enterprise search engine for data analysis, has become the new target of cybercriminals. Servers with weak passwords were hijacked and held for ransom by a group of crooks who just attacked thousands of MongoDB databases several days ago.

ElasticSearch clusters were removed and held for $181 worth of Bitcoin ransom.

Last Thursday, January 12, 2017, a server owner posted on ElasticSearch forum, saying that hackers removed his Test ElasticSearch cluster and left a ransom note:

SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS…

This method of attack was the same one used on MongoDB. At the time of writing, this Bitcoin address has received two ransom payment.

Compromised server numbers are increasing with more hackers joining in the attack.

According to Niall Merrigan, a security expert who has been following this attack, the first attack found on the 12th of January targeted open servers with no authentication. Over 600 ElasticSearch servers have been reported compromised, and attackers have been continuously hacking unauthenticated systems online since then.

Another security researcher, Victor Gevers also tweeted, “Within 3 days 2,515 Elasticsearches were eradicated & ransomed. 34,298 vulnerable Elasticsearches are still open.”

elastic.co: The ransom attack is easily preventable with proper configuration.

The service provider of ElasticSearch business solutions, elastic.co, has made an announcement. As hackers did not exploit any product vulnerabilities or use malware to conduct the attack, data loss from similar security incidents can be easily prevented with proper configuration.

Users are recommended to take the steps below to protect their data:

– Back up all data to a secure location and consider data backup and recovery tools like Curator snapshots.

– Run ElasticSearch on an isolated non-routable network.

– Do not directly expose your cluster to the Internet. Use technologies like firewall, VPN, reverse proxy to restrict access to it.