Hackers ransom 1,200 exposed Elasticsearch databases

A mass hijacking of unsecured cloud instances has led to some 1,200 databases being held for ransom by threat actors.

A team of researchers with security vendor Secureworks found that the attackers used little more than an automated search script to identify and hijack hundreds of Elasticsearch instances and replace the data with a demand for a cryptocurrency ransom payment.

According to the Secureworks Counter Threat Unit (CTU) Research Team, the attack was hardly a technically complex operation. The research team said the attackers likely used an automated search script to identify Elasticsearch instances that had been set to allow read and write operations without any need for authentication or account credentials.

Once that script was run, it was simply a matter of taking down all the data and leaving a single file with the ransom demand (averaging around $620) and bitcoin wallet address. In the note, the attackers said that they had copied the data, though extortion operators have been known to lie.

"While the threat actor could have used a tool like Elasticdump to exfiltrate the data, the cost of storing data from 1,200 databases would be prohibitively expensive," the CTU researchers explained in a blog post Wednesday. "It is therefore likely that the data was not backed up and that paying the ransom would not restore it."

CTU researchers identified at least 450 individual ransom demands, demanding a total of more than $280,000. Secureworks confirmed the databases have since been taken offline, and there is no indication any of the compromised data has been released by the cybercriminals.

However, with low-hanging fruit comes a low payout. The team said that while it can't be certain whether any of the demands were met, both wallets mentioned in the ransom note show no sign of any money being transferred in or out.

The attack is one of what have now become countless instances of data being exposed or breached because administrators failed to set either authentication requirements or database access controls. For example, in 2020 more than 1,000 exposed MongoDB and Elasticsearch databases were attacked by a threat actor who wiped users' data and replaced it with the word "meow."

Researchers recommend that companies double-check their database instances for not only proper authentication requirements, but also for access settings that would prevent someone without an account from viewing internal data.

"When a database requires remote access, organizations should implement multifactor authentication (MFA) to protect internet-facing services," the CTU team recommended.

"Organizations should also review cloud providers' security policies and not assume that data is secured by default."