MongoDB Ransomware Extortionists Now Target ElasticSearch Servers

Shifting battleground. Damaging ransomware campaign against MongoDB opens new front against ElasticSearch

The ransomware campaign against the MongoDB database management system may be shifting its target to another open source target.

After highly damaging attacks that is said to have impacted 27,000 insecure MongoDB installations, the online extortionists are now targeting insecure ElasticSearch servers. 

ElasticSearch is a Java-based search engine that is used to index information.

Niall Merrigan, an Irish researcher living in Norway, who alongside Victor Gevers of the GDI Foundation documented the MongoDB attacks, has warned that the ransomware has now spread and has hit more than 600 ElasticSearch hosts.


ElasticSearch Attacks

The attacks against ElasticSearch hosts began on Thursday, and soon of the victims began complaining on the ElasticSearch forums.

Users are being greeted with similar ransomware demands to that of the MongoDB camapaign. Once again, the attackers are exploiting ElasticSearch servers exposed to the Internet that have weak passwords.

However ElasticSearch responded quickly to the attacks with a blog posting, detailing what steps users could take to protect their data.

“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom,” said the blog. “The good news is that data loss from similar attacks is easily preventable with proper configuration.

Perhaps the most salient bit of advice in that blog is for users to backup their data and that unsecured Elasticsearch instances should not be directly exposed to the Internet.

A Shodan query shows that there are 35,000 ElasticSearch instances currently reachable via the Internet.

Another blog by Itamar Syn-Hershko, a search & big data expert, provides basic instructions on how to secure ElasticSearch servers against attackers.

Lax Security

The ElasticSearch attacks are depressingly familiar and demonstrate how security configurations are often overlooked by companies.

This is the point made by Terry Ray, chief product strategist at security firm Imperva.

“After 14 years in data security, I’m no longer surprised when speaking to organizations at the limited visibility that security, database administrators, and risk teams have as to who, how, and why entities touch their data,” said Ray.

“There is no reason why a company with even a basic data security strategy should allow an administrator to access, much less delete all information from a database without some level of over-site or workflow controls,” said Ray. “Since cloud-based NoSQL systems are relatively new, the experience of data scientists on these systems varies greatly. And, like almost all database systems, security configuration is not a priority.”

“I also find it interesting that the criminals here have decided that there is more money to be made by extortion than through the sale of the data on the dark web,” said Ray.

“But then again, even if a company pays the ransom, there is no guarantee that the hackers won’t also try to monetise the data,” he warned. “For the company, the real cost is the downtime associated with not being able to access critical systems. This is a prime example of why it is important to continuously monitor data where it lives and to block the actions of malicious actors.”

Quiz: How well do you know open source software?