Page 1
©NSFOCUS 2017 http://www.nsfocusglobal.com
ElasticSearch Hit by Ransom Attack
Overview
During the week of January 21, 2017, over 34,000 vulnerable MongoDB databases fell victim to a
ransom attack. Data residing on these databases was erased or encrypted and bitcoin payment was
demanded in lieu for return of the data. Moreover, on January 18th, 2017, several hundred
ElasticSearch servers were hit by a ransom attack within a few hours, and data housed on those
servers were erased with ransom demands. The methods that were used to attack the ElasticSearch
servers where extremely similar to the exploit that was used in the MongoDB attack. Security
researcher Niall Merrigan (who had been following up the MongoDB database compromise) stated,
“till now, over 2711 ElasticSearch servers have been attacked.” Many of the victims reside in the
USA, with a few outliers in Europe, China, and Singapore.
Messages like the following can be seen on the compromised servers asking for ransoms in the form
of Bitcoin payment:
Page 2
©NSFOCUS 2017 http://www.nsfocusglobal.com
Credit: code972.com
About ElasticSearch
ElasticSearch is a distributed search engine operating on Apache Lucene and supports multi-user,
full-text search ability. It is written in Java and is currently an open source code applicable to Apache
licensing terms. Additionally, it is recognized as the second most popular enterprise-class search
engine (behind Apache Solr), and is often employed for information cataloging and data
analysis within cloud computing environments. ElasticSearch supports real-time search functionality,
stable performance benchmarks, and seamless configurations operability.
ElasticSearch Server Deployment
As per John Matherly, founder of the Shodan search engine, about 35,000 ElasticSearch servers on
the Internet are now facing serious security risks, of which the majority are being hosted by Amazon
Web Services.
According to ZDNet, there are approximately 59 servers in China currently compromised due to this
active exploit. Although, NSFOCUS Threat Intelligence (NTI) states that the number is in fact quite
higher. A suspected 1956 ElasticSearch servers operating out of China are at risk due to being
exposed to the Internet
ZDNet provides the following diagram illustrating the current ElasticSearch server distribution as of
January 13, 2017:
Credit: zdnet.com
Page 3
©NSFOCUS 2017 http://www.nsfocusglobal.com
ElasticSearch Distributions by Region
ElasticSearch Distributions by Province
Page 4
©NSFOCUS 2017 http://www.nsfocusglobal.com
In addition, NSFOCUS NTI detected 39,590 ElasticSearch servers distributed globally, that are exposed to
the Internet as shown below.
ElasticSearch Risk
An improperly configured ElasticSearch server exposes itself to serious vulnerabilities. The server is
often accessed via TCP (default port 9300) or HTTP (default port 9200). Unfortunately, an
ElasticSearch server's communication traffic is in plain text, and it is not encrypted. Moreover, there
are no secure authentication protocols in use to access an ElasticSearch server that is accessible via
the Internet. Anyone connecting to a port on the server can call related APIs to delete, modify, and
query arbitrary data on the server.
Protection Measures
The articles, "Don't be ransacked: Securing your ElasticSearch cluster properly" by ElasticSearch
consultant Itamar Syn-Hershko, and "Protecting Against Attacks that Hold Your Data for Ransom" by
ElasticSearch engineer Mike Paquette, respectively describe how to configure and deploy
ElasticSearch servers to prevent ransom attacks:
l Redeploy ElasticSearch servers on isolated networks: It is strongly recommended NOT to expose
ElasticSearch servers to the Internet. You can use network.bind_host or network.host to configure a
server to listen on private or local IP addresses only, but no on any Internet IPaddresses
l If a requirement exists to access an ElasticSearch server via the Internet, it is recommended to
ensure the following:
Page 5
©NSFOCUS 2017 http://www.nsfocusglobal.com
Ø Ensure Firewall integration
Ø Use VPN connectivity
Ø Use proxy servers to the communication between the client and server. Moreover,
implementation of (AAA) authentication, authorization, and auditing is highly recommended.
Ø DO NOT use the default ports.
Ø Disable HTTP if the capability is not needed. The recommended deployment of ElasticSearch
is to configure server groups that support specific roles such as control nodes, data nodes, and
client nodes. Clients nodes are the only nodes that demand HTTP ability.
Ø Disable scripting unless it is necessary. Users of ElasticSearch 1.x and 0.x are advised to
upgrade as soon as possible. ElasticSearch 2.x uses Groovy as its default scripting language
and does not support sandbox functions. Users of ElasticSearch 2.x are advised to remove the
default scripting language from configurations.
Ø Employ official plug-ins: ElasticSearch 5.0 uses the X-Path plug-in for protection and
ElasticSearch before 5.0 can use the Shield plug-in.
l Back up all data via Curator snapshots.
Page 6
©NSFOCUS 2017 http://www.nsfocusglobal.com
References
Syn-Hershko, I. (2017). Don't be ransacked: Securing your ElasticSearch cluster properly. Retrieved from:http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly
Paquette, M. (2017). Protecting Against Attacks that Hold Your Data for Ransom. Retrieved from:
https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom
Page 7
©NSFOCUS 2017 http://www.nsfocusglobal.com
About NSFOCUS
NSFOCUS IBD is a wholly owned subsidiary of NSFOCUS, an enterprise application and
network security provider with operations in the Americas, Europe, Middle East, Southeast Asia,
and Japan. NSFOCUS IBD has a proven track record of combatting the increasingly complex
cyber threat landscape through the construction and implementation of multi-layered defense
systems. The company's Intelligent Hybrid Security strategy utilizes both cloud and on-premises
security platforms built on a foundation of real-time global threat intelligence to provide unified,
multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
http://www.nsfocusglobal.com.
NSFOCUS, NSFOCUS IBD, and NSFOCUS, INC. are trademarks or registered trademarks of
NSFOCUS, Inc. All other names and trademarks are property of their respective firms.
QR code of NSFOCUS at Sina Weibo QR code of NSFOCUS at WeChat