Trending

ee-track">
Cyble-NightLion-Worm

“NightLion” Worm Strikes Again

Introduction

Elasticsearch (ES) is a search engine-based NoSQL database system that is widely used for storing and searching data. ES is typically hosted on internet-facing infrastructure, and organizations often forget to implement standard procedures to protect their ES instances.

Recently, Cyble Research Labs came across a worm targeting Elasticsearch servers that are openly accessible without authentication. The worm deletes indices and leaves a note mentioning Night Lion Security and Shadow Byte, which are companies owned by Vinny Troia (a well-known security researcher).

Technical Analysis

We observed 829 open Elasticsearch servers which were attacked by this worm, most of which affected the US, closely followed by China. Figure 1 shows the Shodan results analysis for these databases.

cyble figure1 shodan analysis
Figure 1 – Shodan Results Analysis for 829 ES databases

Among these 829 databases, only 4 of them have been tagged “compromised” by Shodan. The last active status of these 829 IPs ranges from May 24, 2022, to June 23, 2022.

These ES databases have most indices deleted, and a readme note is added to the ES. The readme note has the name in the form “read-me-hacked-by-nightlionsecurity.” Figure 2 shows the index name as seen on the ES.

cyble figure2 ES index Readme
Figure 2 – ES showing readme note index

Some of these ES databases contained sensitive datasets as large as 10GB. Figure 3 shows one such example of the dataset.

report-ad-banner
cyble figure3 sensitive content ES
Figure 3 – Sensitive content from one of the indexes

The readme note specifies that the attack was carried out by Night Lion security, and they have wiped the data. If the attack victim wants their data back, they have to pay Night Lion security. The note contains the phone number and website URL for the Night Lion Security and Shadow Byte. Figure 4 shows the readme note put by the worm on the ES.

cyble figure4 readme content
Figure 4 – Readme note put up by the worm on the ES server

The threat actors most probably automated the discovery and targeting of Elasticsearch servers. The worm identifies the openly accessible unauthenticated ES servers, deletes most of the indices, and adds a readme note blaming Night Lion security.

Related Previous Attacks

Night Lion Security and Shadow Byte (a rebrand of Night Lion security) are owned by Vinny Troia. Vinny Troia is a security researcher whose name has been used in a previous attack by threat actors. A notable example is an incident that compromised 15000+ Elasticsearch servers in 2020, blaming Night Lion security.

The threat actors utilized the same technique as the latest one, which automated the discovery and targeting of ES servers. After attacking the ES server, the worm leaves a note named “nightlionsecurity.com.” Figure 5 shows the index name in this previous attack.

cyble figure5 ES index 2020 Readme
Figure 5 – ES showing readme note for 2020 attack

Vinny Troia commented about this previous attack stating that the attack was carried out by hackers his company had been tracking for the past few years. Figure 6 shows one of his comments on Twitter.

cyble figure6 troia comment
Figure 6 – Comment made by Vinny Troia during 2020 ES attacks

Conclusion

Cyble Research Labs has seen multiple instances in the past wherein threat actors have tried to exfiltrate data from open accessible Elasticsearch servers. Discovery of these unauthenticated Elasticsearch servers is very easy, and threat actors leverage this fact to target these servers.

We have talked about Elasticsearch servers attacked by Ransomware in a previous blog. You can read it here. We will continue to see these attacks on openly accessible databases, and we recommend that enterprises monitor these servers carefully.

Our Recommendations

Our recommendations for the industry-wise enterprises to avoid breaches caused by the Elasticsearch misconfigurations are: 

  • Enabling strong authentication for both ES servers and Kibana instances.
  • Creating policies to track misconfigured Elasticsearch servers.
  • Regular audits over the technology workflow process to identify any possible loopholes in the process. 
  • Enterprises are also advised to implement Digital Risk Protection Services (DRPS) program to monitor their infrastructure at potential risk. 
  • Perform Vulnerability Assessment of Internet-facing database servers routinely.

Comments are closed.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams