Sunday, February 21, 21:08
Home security Hackers locate exposed Elasticsearch servers before search engines

Hackers locate exposed Elasticsearch servers before search engines

Hackers locate unprotected Elasticsearch servers that are exposed to the Internet faster than search engines can register them. One study found that threat factors typically select cryptocurrency mining and theft of credentials to attack.


During the experiment, a honeypot with a fake database recorded more than 150 unauthorized requests.

Comparitech's research team, led by Bob Diachenko, left the Elasticsearch server exposed to the Internet from May 11 to 22. During this time, the machine received an average of 18 attacks per day.

Search engines such as Shodan and BinaryEdge registered the system on May 16 and 21, respectively. The attackers, however, were faster and began to detect it eight hours and 30 minutes after deploy.

Prior to registration by search engines, the server was "hit" more than thirty times, indicating that some threat factors are not waiting for servers to appear on the Internet to detect them.

Once registered, it took just one minute for two attacks to take place. The highest number of attacks in a day was 22.

Comparitech admits that some of the requests may have come from security researchers looking for new servers. However, distinguishing between them and hackers is not an easy task.

According to the study, most of the attacks came from USA (89), Romania (38) and China (15). This information is unreliable, however, because intruders can hide their real IP address using a proxy server.

From the attacks observed, many hackers wanted to extract cryptocurrencies using an old vulnerability (CVE-2015-1427) to install a miner. Many IP addresses were used for these attacks, but all had a common download source for the mining script.

Theft of passwords for the server was also common through the same vulnerability with the one used for cryptojacking with another old error that affects the Elasticsearch transition to the server / etc / passwd file.

Most attacks involve changing the configuration of the server by deleting the contents internally. They then demand ransom after the data is destroyed.

The latter happened outside the trial period and the intruders demanded 0,06 BTC, ie $ 550. This is a common practice of blackmail, with some hackers managing to make a respectable profit.  

Most of the requests observed during it experiment they investigated the database, trying to determine its status and settings, Comparitech says.

Unprotected Elasticsearch servers have caused data leaks with billions of records for millions of users.

The information collected in this way can serve many purposes, from electronic fishing (Phishing) and violating accounts to identity theft.

To avoid unauthorized access to one Elasticsearch server, administrators need to make sure that authentication is enabled and that strong credentials are used. Also, the TLS must be enabled to ensure that data is encrypted as it passes through the network.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


How to make a Facetime Audio call

Tired of low quality cell phone calls? Thanks to FaceTime, you can make high-resolution calls if you use iPhone, iPad, ...

How to add special effects to Instagram messages

Did you know that you can make instant Instagram messages more impressive? Like any other Instagram feature, you can add special ...

Only 270 addresses are responsible for 55% of all money laundering

Cybercriminals who keep their money in cryptocurrencies tend to "launder" money through a small set of online services, according to ...

Twitter: Voice messages are coming! How do we send them?

Twitter will soon support voice messages in both iOS and Android applications. This means that you will be able to send ...

How to connect a Bluetooth headset to a Nintendo Switch

The Nintendo Switch has a headphone jack. However, most headphones have become wireless so you will need a way to connect them ...

How to hide your phone number in Telegram

If you wish to create a Telegram account, you must provide your telephone number. In this way, Telegram validates the ...

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...