Hackers have been trying to exact virtual revenge on Vinny Troia, a security researcher, pentester, and owner of Night Lion Security and Shadowbyte, ever since he published a book revealing secrets of The Dark Overlord (thedarkoverlord) and other hacking groups. Recently, Cyble researchers identified a worm called NightLion, blaming Night Lion security company and Shadowbyte for its activities.
NightLion worm targeting Elasticsearch servers
NightLion worm hunts openly accessible unauthenticated Elasticsearch servers and deletes indices of the databases.
The worm leaves a readme note mentioning Night Lion Security and Shadowbyte and specifies that the attack was carried out by Night Lion security and that they have wiped the data.
The note further says that if the victim wants their data back, they have to pay Night Lion security. The note contains the contact number and website URL for Night Lion Security and Shadowbyte.
NightLion’s reach so far
Cyble has found 829 openly accessible unauthenticated Elasticsearch servers.
Most of these databases are in the U.S. (200), China (180), Germany (86), France (67), and Singapore (33).
However, Shodan has only tagged four of these databases as compromised.
Some of these databases contained sensitive datasets as large as 10GB. The last active status of these affected 829 IPs ranges from May 24 to June 23.
The revenge history
In March 2020, attackers (allegedly thedarkoverlord) wiped out public-facing Elasticsearch servers and left a note named “NightlionSecurity.com”. The NightLion worm apparently nulled over 15000 Elasticsearch servers and left Night Lion Security information as a greeting card. The hackers most probably used a PHP-Unit CVE from 2017.
The threat actors have most probably automated the discovery and targeting of unprotected Elasticsearch servers. Organizations must focus on the security of these servers as information gleaned with such servers can serve a myriad of nefarious purposes ranging from phishing and account hijacking to identity theft.