Hackers spotting exposed Elasticsearch servers faster than search engines

News by Andrew McCorkell

Hackers have been finding unprotected Elasticsearch servers exposed on the internet quicker than search engines can index them, new research from Comparitech has found.

Hackers have been finding unprotected Elasticsearch servers exposed on the internet quicker than search engines can index them, new research from Comparitech has found.

A honey pot experiment lured more than 150 unauthorised requests to a fake database with the first coming less than 12 hours from being exposed.

Javvad Malik, security awareness advocate at KnowBe4 said that exposed servers are a big concern, and are responsible for exposing a large number of records on an almost daily basis around the world.

Malik said: “It's why it's important that organisations have a strong security culture embedded throughout the organisation so that through each department, there are robust security controls in place.

"For example, for Elasticsearch servers, organisations should ensure that servers are only accessible remotely once users have been securely authenticated, the data has been encrypted, and there is monitoring in place to detect when there is any access. Additionally, assurance controls should regularly test that the required security is in place and operating as expected."

The Comparitech’s research team said the Elasticsearch server was left exposed on the web from 11 May until 22 May attracting around 18 attacks daily.

Robert Ramsden-Board, VP EMEA, at Securonix said the research proves just how opportunistic attackers really are and that there are “no holds barred when it comes to finding these databases” on the internet.

Ramsden-Board said: “Servers should never be left without authentication or a password. This is just basic cybersecurity hygiene, but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence.

“Leaked data can expose customers to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, catfishing and blackmail to harassment, phishing and fraud.

"This research should serve as a lesson that leaving a database exposed for any amount of time on the internet is unacceptable and therefore, stringent measures should be put in place to ensure it doesn't happen."

The research showed it took search engines like BinaryEdge until 21 May and Shodan until 16 May to index the system, while hackers began probing within just eight hours and 30 minutes.

Martin Jartelius, CSO at Outpost24: "We’ve seen this time and time again - companies using Elasticsearch for analytics or big data projects and making careless mistakes in the misconfiguration.

"To prevent this scenario, companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. 

“With GDPR, privacy and security need to be taken seriously. It is upsetting to note that these unprotected servers are being found so regularly - almost as if there is a lack of even trying."

The study showed that most of the attacks came from the United States (89), Romania (38), and China (15), though this was unreliable as attackers can hide their true IP address by using a proxy service.

Jamie Akhtar, CEO and co-founder of CyberSmart said the research on Elasticsearch servers demonstrates the power of basic cyber hygiene practice in protecting against attack.

Akhtar added: “By enabling two-factor authentication or using strong passwords, businesses and employees could prevent unauthorised access to an Elasticsearch server- and potentially devastating attacks.

“The UK's Cyber Essentials scheme is a great blueprint for cyber hygiene with its five security control areas which is why we encourage SMEs to follow it. These are relatively simple security moves- making sure security settings are enabled and software is up-to-date- but they make a big difference."

David Kennefick, product architect at Edgescan said that data breaches as a result of misconfigured infrastructure/databases happen “more often than we'd like to think”.

He said: “Organisations should consider monitoring their environment continuously in order to be able to spot these exposures so they can be locked down and removed from global access as soon as possible.

“Services such as Azure and AWS have an automatic control that locks down machines and servers in the form of enforced security groups, meaning that, to leave a database exposed, users would have to go out of their way to configure settings to expose them. Misconfigurations usually happen when teams are managing technologies that don't have these types of controls enabled by default.

“It is important not to assume that the service you are using is secure: it is better to double-check, test and take a little longer to create your environment securely than to accidentally leave sensitive information exposed and open to all sorts of attacks and legal liabilities."

Many of the attacks were seeking to mine for cryptocurrency by exploiting an old vulnerability (CVE-2015-1427), where several IP addresses were used but had a common download source for the mining script.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews