What is Going on with Elasticsearch?

Lately, Elasticsearch servers are on the news a lot and not for the right reasons. 

The latest scenario

Threat actors are mainly aiming for credential theft and cryptocurrency mining. A research team conducted an experiment where they left an Elasticsearch server exposed for the period between May 11 to May 22. The server witnessed an average of 18 attacks per day.

What else?

  • In April 2020, a hacker was found constantly breaking into exposed Elasticsearch servers without a password and attempting to wipe the content. This went on for two weeks and more than 15,000 servers were defaced.
  • In March 2020, over 5 billion records were unwittingly exposed by a U.K-based security company.
  • In February 2020, over 123 million records were leaked by Decathlon via an unprotected Elasticsearch server. Allegedly, apart from the exposed data on the server, PII was exposed.
  • In November 2019, the client data of the Gekko Group was exposed; the data included unencrypted payment information, among others.
  • In October 2019, the personal data of 1.2 billion people was leaked via an unsecured Elasticsearch server that contained around 4 billion user accounts.

So why do Elasticsearch servers keep getting hacked?

Elasticsearch is a popular choice for processing large-scale databases. But is Elasticsearch responsible for all the hacks? The answer is no.
  • The root cause of the issues is a poor understanding of the security configurations and its functions. People often allow unauthenticated and unauthorized users to access their data on the internet.
  • Other times, developers expose testing or development systems to the Internet for convenience and forget to change the configuration while moving to production.

The bottom line is that data leaks via Elasticsearch servers are not the software’s fault. Security teams are advised to secure their deployments by not exposing servers publicly and isolating them from the rest of the network.