According to Secureworks, hackers are attacking poorly protected Elasticsearch databases and have already replaced at least 450 indexes with ransom notes.
Let me remind you that recently we also wrote that Experts Found More Than 3.6 million Unprotected MySQL Servers.
CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. It is not possible to determine the actual number of victims because the vast majority of the databases were hosted on networks operated by cloud computing providers. It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.the researchers write.
Apparently, to compromise their targets, the attackers use an automated script that analyses unprotected databases, erases information, and adds a ransom note to the server. Researchers believe that nothing is done manually in this campaign. Experts remind that paying extortionists is not the best idea. At least because the practical and financial problems associated with storing such a large number of databases make this task almost impossible for hackers. More often, attackers simply delete the contents of an unprotected database, leave a ransom note, and hope that the victim will believe their threats. The hackers behind the campaign have reportedly received only one payment to one of their bitcoin wallets so far.While this campaign appears to be unsuccessful, it poses a risk to organizations hosting data in online databases. Unprotected Elasticsearch instances are trivially easy to identify using the Shodan search engine. Instructions are available for identifying unsecured Elasticsearch databases.experts of Secureworks told.
