After MongoDB databases, it’s the turn of unsecure Elasticsearch clusters accessible over the internet to face the ransomware attacks. The attacks were unearthed on 12th January (Thursday) when first report of Elasticsearch cluster being targeted by ransomware appeared on the official support forum. Elasticsearch is a popular Java based search engine that is used by enterprises across the globe. It is used mostly along with data analytics, log collection and visualization platforms.
The victims reported data being wiped out from the cluster with only single index being left behind that displays the message from the hackers asking for ransom in Bitcoins: “SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS."
As per an expert Niall Merrigan, who is tracking the development and sharing the findings over Twitter, the attacks are the continuation of MongoDB database attacks that happened last week. Till now, over 600 clusters have been encrypted over Elasticsearch. The total number of clusters accessible over internet have been put at 35,000 which is an appealing number for the hackers across the globe. In coming days, it is expected that more unsecure clusters will be affected in a fashion similar to MongoDB database in which the affected count rose to 34,000 in a matter of few days.
As per a security expert Itamar Syn-Hershko, who has written there is no reason to expose clusters to the internet leaving them vulnerable. He says “"Have a Single Page Application that needs to query Elastic and get jsons for display? Pass it through a software facade that can do request filtering, audit-logging and most importantly, password-protect your data," Syn-Hershko said. "Without that, (a) you are for sure binding to a public IP and you shouldn't, (b) you are risking unwanted changes to your data, (c) and the worst - you can't control who accesses what and all your data is visible for all to see. Just what's happening now with those Elasticsearch clusters."
The experts are advising affected enterprises not to pay the ransom demanded because there is no guarantee that the hackers have actually stolen the data and saved a backup. Their argument is supported by the analysis of MongoDB attacks in which no evidence of data being stolen was found.
Itamar Syn-Hershko, in his blog post has provided a list of Do’s and Don’ts for enterprises to secure their data over Elasticsearch clusters.
1.Use proxies to communicate with clients
2.Put Elasticsearch on isolated network if possible
3.Don't use default ports
4.Disable HTTP where you don't need it
5.Secure publicly available client nodes
6.Ensure HTTP-enabled nodes are listening to private IPs only