Elasticsearch is a Java based search engine popularly used in the enterprise space for information cataloging and data analysis.
The Attacks Against Elasticsearch Servers
Within three days close to three thousand insecure servers had been wiped out after hackers took over the systems. With more than 34,000 unsecured servers still open to the Internet, this is proving to be another gold mine for ransom demanding hackers and coordinated hoaxes.
According to a Twit by John Matherly, founder of Shodan, the world’s first search engine for Internet-connected devices. Of the close to the 35,000 exposed Elasticsearch servers, majority of them are hosted on Amazon Web Services infrastructure.
The hackers are taking over these servers by using tools and online services to detect open servers with no authentication at all. This is possible as like MongoDB databases and Elasticsearch servers allow configurations without authentication.
0.2 Bitcoins (BTC) is the going rate for the ransoms but all bets are off that this figure could rise. It is also not a guarantee that paying the ransom will get your data restored. In short attackers are taking advantage of the situation to play hoaxes on the victims.
Systems Admins and DevOps more than ever need to be proactive in the securing of their online facing services. One can always use services like Shodan to scan their public IP addresses to see what the attackers could potentially have access to.