Hackers locate unprotected Elasticsearch servers that are exposed to the Internet faster than search engines can register them. One study found that threat factors typically select cryptocurrency mining and theft of credentials to attack.
During the experiment, a honeypot with a fake database recorded more than 150 unauthorized requests.
Comparitech's research team, led by Bob Diachenko, left the Elasticsearch server exposed to the Internet from May 11 to 22. During this time, the machine received an average of 18 attacks per day.
Search engines such as Shodan and BinaryEdge registered the system on May 16 and 21, respectively. The attackers, however, were faster and began to detect it eight hours and 30 minutes after deploy.
Prior to registration by search engines, the server was "hit" more than thirty times, indicating that some threat factors are not waiting for servers to appear on the Internet to detect them.
Once registered, it took just one minute for two attacks to take place. The highest number of attacks in a day was 22.
Comparitech admits that some of the requests may have come from security researchers looking for new servers. However, distinguishing between them and hackers is not an easy task.
According to the study, most of the attacks came from USA (89), Romania (38) and China (15). This information is unreliable, however, because intruders can hide their real IP address using a proxy server.
From the attacks observed, many hackers wanted to extract cryptocurrencies using an old vulnerability (CVE-2015-1427) to install a miner. Many IP addresses were used for these attacks, but all had a common download source for the mining script.
Theft of passwords for the server was also common through the same vulnerability with the one used for cryptojacking with another old error that affects the Elasticsearch transition to the server / etc / passwd file.
Most attacks involve changing the configuration of the server by deleting the contents internally. They then demand ransom after the data is destroyed.
The latter happened outside the trial period and the intruders demanded 0,06 BTC, ie $ 550. This is a common practice of blackmail, with some hackers managing to make a respectable profit.
Most of the requests observed during it experiment they investigated the database, trying to determine its status and settings, Comparitech says.
Unprotected Elasticsearch servers have caused data leaks with billions of records for millions of users.
To avoid unauthorized access to one Elasticsearch server, administrators need to make sure that authentication is enabled and that strong credentials are used. Also, the TLS must be enabled to ensure that data is encrypted as it passes through the network.