Introduction
Elasticsearch (ES) is a search engine-based NoSQL database system that is widely used for storing and searching data. ES is typically hosted on internet-facing infrastructure, and organizations often forget to implement standard procedures to protect their ES instances.
Recently, Cyble Research Labs came across a worm targeting Elasticsearch servers that are openly accessible without authentication. The worm deletes indices and leaves a note mentioning Night Lion Security and Shadow Byte, which are companies owned by Vinny Troia (a well-known security researcher).
Technical Analysis
We observed 829 open Elasticsearch servers which were attacked by this worm, most of which affected the US, closely followed by China. Figure 1 shows the Shodan results analysis for these databases.
Among these 829 databases, only 4 of them have been tagged “compromised” by Shodan. The last active status of these 829 IPs ranges from May 24, 2022, to June 23, 2022.
These ES databases have most indices deleted, and a readme note is added to the ES. The readme note has the name in the form “read-me-hacked-by-nightlionsecurity.” Figure 2 shows the index name as seen on the ES.
Some of these ES databases contained sensitive datasets as large as 10GB. Figure 3 shows one such example of the dataset.
The readme note specifies that the attack was carried out by Night Lion security, and they have wiped the data. If the attack victim wants their data back, they have to pay Night Lion security. The note contains the phone number and website URL for the Night Lion Security and Shadow Byte. Figure 4 shows the readme note put by the worm on the ES.
The threat actors most probably automated the discovery and targeting of Elasticsearch servers. The worm identifies the openly accessible unauthenticated ES servers, deletes most of the indices, and adds a readme note blaming Night Lion security.
Related Previous Attacks
Night Lion Security and Shadow Byte (a rebrand of Night Lion security) are owned by Vinny Troia. Vinny Troia is a security researcher whose name has been used in a previous attack by threat actors. A notable example is an incident that compromised 15000+ Elasticsearch servers in 2020, blaming Night Lion security.
The threat actors utilized the same technique as the latest one, which automated the discovery and targeting of ES servers. After attacking the ES server, the worm leaves a note named “nightlionsecurity.com.” Figure 5 shows the index name in this previous attack.
Vinny Troia commented about this previous attack stating that the attack was carried out by hackers his company had been tracking for the past few years. Figure 6 shows one of his comments on Twitter.
Conclusion
Cyble Research Labs has seen multiple instances in the past wherein threat actors have tried to exfiltrate data from open accessible Elasticsearch servers. Discovery of these unauthenticated Elasticsearch servers is very easy, and threat actors leverage this fact to target these servers.
We have talked about Elasticsearch servers attacked by Ransomware in a previous blog. You can read it here. We will continue to see these attacks on openly accessible databases, and we recommend that enterprises monitor these servers carefully.
Our Recommendations
Our recommendations for the industry-wise enterprises to avoid breaches caused by the Elasticsearch misconfigurations are:
- Enabling strong authentication for both ES servers and Kibana instances.
- Creating policies to track misconfigured Elasticsearch servers.
- Regular audits over the technology workflow process to identify any possible loopholes in the process.
- Enterprises are also advised to implement Digital Risk Protection Services (DRPS) program to monitor their infrastructure at potential risk.
- Perform Vulnerability Assessment of Internet-facing database servers routinely.
