ElasticSearch logo

After days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms.

The first wave of attacks hit ElasticSearch server owners yesterday, with some of the victims complaining on the ElasticSearch forums.

Over 600 servers hijacked already

Niall Merrigan, one of the security researchers that was following the original MongoDB attacks, has now started tracking the ElasticSearch attacks. At the time of writing, Merrigan reported over 600 ransacked ElasticSearch servers.

ElasticSearch is a Java-based search engine, used to index information in large web services and enterprise networks.

The attackers are allegedly taking over ElasticSearch servers exposed to the Internet with weak and guessable passwords.

Based on the reported ransom notes, there appears to be only one group behind these attacks, named P1l4t0s. A verbatim copy of the ransom note is embedded below:

SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS p1l4t0s@sigaint.org

At the time of writing, the Bitcoin address listed above has received only one ransom payment.

Itamar Syn-Hershko, a search & big data expert, has published a blog post with basic instructions on how to secure ElasticSearch servers against attackers.

Around 35,000 ElasticSearch servers still available online

A Shodan query reveals around 35,000 ElasticSearch instances reachable via the Internet today. In August 2015, security experts from BinaryEdge found only 8990 ElasticSearch instances available online, which at the time exposed 531,199 terabytes of information.

In December 2015, an AlienVault experiment revealed that attackers could use two different vulnerabilities to hijack ElasticSearch servers and add them to a botnet.

Just as the attacks on MongoDB servers were ramping up, your editor was wondering how much time would it take for attackers to move on to other technologies.

The answer is three days. Other possible future targets include Apache CouchDB, Redis, and Memcached, all who are easily available online, albeit not as insecure as MongoDB.