[BreachExchange] A hacker has wiped, defaced more than 15, 000 Elasticsearch servers

Destry Winant destry at riskbasedsecurity.com
Mon Apr 6 10:21:49 EDT 2020


For the past two weeks, a hacker has been breaking into Elasticsearch
servers that have been left open on the internet without a password
and attempting to wipe their content, while also leaving the name of a
cyber-security firm behind, trying to divert blame.

According to security researcher John Wethington, one of the people
who saw this campaign unfolding and who aided ZDNet in this report,
the first intrusions began around March 24.

The attacks appear to be carried with the help of an automated script
that scans the internet for ElasticSearch systems left unprotected,
connects to the databases, attempts to wipe their content, and then
creates a new empty index called nightlionsecurity.com.

The attacking script doesn't appear to work in all instances, though,
as the nightlionsecurity.com index is also present in databases where
the content has been left intact.

However, on many Elasticsearch servers, the wiping behavior is
obvious, as log entries simply cut off around recent dates, such as
March 24, 25, 26, and so on. Due to the highly volatile nature of data
stored inside Elasticsearch servers, it is hard to quantify the exact
number of systems where data was deleted.


In a Signal conversation with this reporter yesterday, Vinny Troia,
the founder of Night Lion Security, has denied that his company had
anything to do with the ongoing attacks.

In an interview he gave DataBreaches.net on March 26, Troia said he
believes the attack is being carried out by a hacker he has been
tracking for the past years, and who is also the subject of a recently
released book.

But while the attacks looked like a prank on March 26, they're not
funny anymore. From the roughly 150 defaced Elasticsearch servers at
the time of the first interview, the number of Elasticsearch servers
where the nightlionsecurity.com index is now present has risen to more
than 15,000, according to a BinaryEdge search.

The number is quite large, considering that the same BinaryEdge lists
a total of 34,500 Elasticsearch servers that are directly exposed on
the public internet.

ZDNet has also reached out to the Elastic security team, who is now
also looking into the growing number of attacked servers.

Wethington is currently compiling a list of servers impacted by this
attack, trying to identify companies that might have had services

Furthermore, while looking into this issue, Wethington also identified
a second hacker who is also targeting Elasticsearch servers. This
attacker is breaking into unsecured servers and leaving a message
telling victims they've been hacked and urging them to reach out via
email. Currently, only 40 servers have this message, suggesting the
attack is small in scale.

However, these types of destructive attacks were Elasticsearch data is
wiped are not the first of their kind. In the spring and summer of
2017, multiple hacker groups engaged in database ransom attacks
against multiple types of database technologies, including

Thousands of Elasticsearch servers had data wiped in 2017, and ransom
messages left behind, inviting owners to pay ransom requests to
recover their data -- with victims unaware that the data was never
stolen or backed up by the attacker, but merely deleted.

More information about the BreachExchange mailing list