loader gif

Poorly protected ElastichSearch databases expose over 26000 Kibana instances on the internet

alert,attack,board,breach,broken,circuit,computer,confidential,countermeasure,crime,cybercrime,damaged,data,decryption,defense,encryption,firewall,hack,hacked,hacker,hacking,identity,internet,key,leak,lock,network,padlock,password,privacy,protect,protection,random,risk,safe,secure,security,shielding,software,spy,spyware,stealing,surveillance,technology,theft,threat,unlock,unsecured,virus,vulnerabi
  • The exposed Kibana instances belong to a variety of entities - ranging from e-learning platforms to banking systems, parking management systems to hospitals & universities.
  • The US is highly affected by the incident, recording a total of 8,311 Kibana instances exposed due to misconfigured ElasticSearch databases.

Kibana is an open-source analytics and visualization platform designed to work with ElasticSearch databases. However, the poorly protected databases have exposed over 26,000 Kibana instance on the internet.

What has happened - According to a report shared by an IT professional, who goes by the name @InfoSeclta, there are more than 26,000 Kibana instances that are open to the public on the internet. Apparently, most of them are not protected with passwords or any security solution.

“As of today (25 March 2019) Shodan.io search gives a result of 26,833 (!!!) Kibana instances running on the internet (growing of around 35/70 per day during the last weeks). Off course, as any other well programmed web app, you can secure your public Kibana app access with many login methods,” said InfoSeclta.

What’s the problem - The main reason for this is that the Kibana does not come with any in-built security protections, like session management, to enable authentication.

“Even if your server is super secured and well configured, and your Elasticsearch is bound to 127.0.0.1 or localhost, or whatever kind of loopback address, an unprotected Kibana app running on top of the elasticsearch stack can compromise your server operativity and allow unauthenticated users to access Kibana dashboard (with admin privileges), thus gifting a strong foothold in further privilege escalation attacks to malicious entities,” InfoSeclta explained.

What data is exposed - InfoSeclta told The Hacker News that the exposed Kibana instances contained a variety of entities - ranging from e-learning platforms to banking systems, parking management to hospitals & universities.

“I found many Kibana instances owned by big companies. One of them is a leader in building automotive technology (such as connected cameras etc.). Its Kibana server was exposing all the data coming from every camera they sold worldwide,” InfoSeclta informed The Hacker News.

“Every kind of data coming from the logs/debug/status of such camera were available. I also found a Kibana stack from a big Asian stock exchange, which is still available unprotected in the wild.”

According to Shodan, the US is highly affected by the incident, recording a total of 8,311 Kibana instances exposed due to misconfigured ElasticSearch databases. The report also reveals that a maximum number of exposed Kibana instances are hosted on cloud services from Amazon, Alibaba, Microsoft Azure and Google Cloud.

loader gif