Since March 24, hackers have hacked the Elasticsearch server and tried to erase its contents. It also left behind the name of the cybersecurity firm Night Lion Securty in an attempt to deflect blame.
John Wethington, a British security expert, is working with ZDNet on the case.
Erase the data and create a new index
According to British security researcher John Wesington, the attack appears to have been carried out with the help of an automated script that scans the unprotected Elasticsearch system on the network, connects to its database, tries to erase its contents, and then creates a new empty index, Called nightlionsecurity.com.
But the attack script doesn’t seem to work in all cases, with an index named nightlionsecurity.com missing from some databases.
However, on many Elasticsearch servers, the erasing behavior is obvious because the log entry is only interrupted near the most recent date. Due to the highly volatile nature of the data stored inside Elasticsearch servers, it is difficult to quantify the exact number of systems deleting data.
According to the BinaryEdge search, there are around 150 compromised ElasticSearch servers, and the number of ElasticSearch servers indexed by NightlionSecurity.com has grown to over 15,000.
Given that BinaryEdge lists a total of 34,500 Elasticsearch servers that are publicly available directly on the public Internet, this figure should not be the final result of the hack.
The Elastic Security team is currently conducting research into the handling of the affected servers.
Network security company: this pot I don’t back
In an interview with reporters, Night Lion Security founder Vinny Troia denied that his company had anything to do with the ongoing attacks.
Troia said he believes the attack was carried out by hackers that his company has been tracking for the past few years and that he has notified law enforcement about the attack and related information.
Elastic is a Dutch-Israeli company that specialises in all types of data with its Elasticsearch technology. This technology has been widely used by organizations as an internal search engine in their documents, but it has also been used to track violations in log files.
Elasticsearch has not been erased once or twice. In the spring and summer of 2017, multiple hacking groups carried out database ransomware attacks against various database technologies, including Elasticsearch.
In the 2017 hack, thousands of Elasticsearch servers had their data erased and left a ransom message inviting the owner to pay a ransom request to recover their data (the victims had no idea that the attacker had never stolen or backed up the data, but simply deleted it).
In July 2019, smart home solution developer Orvibo held a large Elasticsearch database with over 2 billion logs made public across the network. This includes email addresses, passwords, password reset information, geo-location data, IP addresses, usernames & identifiers, conversations recorded by smart cameras, etc.
In December 2019, the information of 28,000 customers of the Khanty-Mansi Autonomous Region’s national service portal was leaked. This data can be turned into a database in the public domain due to a misconfiguration of the Elasticesearch server. The leaked information contains customers’ names, phone numbers, emails and other personal information, such as information about childable children. In addition, the user’s authorization token on the portal was also compromised, which could allow third parties who intercepted the information to access their personal accounts on the site.