Top Banner
©NSFOCUS 2017 http://www.nsfocusglobal.com ElasticSearch Hit by Ransom Attack Overview During the week of January 21, 2017, over 34,000 vulnerable MongoDB databases fell victim to a ransom attack. Data residing on these databases was erased or encrypted and bitcoin payment was demanded in lieu for return of the data. Moreover, on January 18 th , 2017, several hundred ElasticSearch servers were hit by a ransom attack within a few hours, and data housed on those servers were erased with ransom demands. The methods that were used to attack the ElasticSearch servers where extremely similar to the exploit that was used in the MongoDB attack. Security researcher Niall Merrigan (who had been following up the MongoDB database compromise) stated, till now, over 2711 ElasticSearch servers have been attacked.” Many of the victims reside in the USA, with a few outliers in Europe, China, and Singapore. Messages like the following can be seen on the compromised servers asking for ransoms in the form of Bitcoin payment:
7

ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

Jul 01, 2018

Download

Documents

vuongtuyen
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

ElasticSearch Hit by Ransom Attack

Overview

During the week of January 21, 2017, over 34,000 vulnerable MongoDB databases fell victim to a

ransom attack. Data residing on these databases was erased or encrypted and bitcoin payment was

demanded in lieu for return of the data. Moreover, on January 18th, 2017, several hundred

ElasticSearch servers were hit by a ransom attack within a few hours, and data housed on those

servers were erased with ransom demands. The methods that were used to attack the ElasticSearch

servers where extremely similar to the exploit that was used in the MongoDB attack. Security

researcher Niall Merrigan (who had been following up the MongoDB database compromise) stated,

“till now, over 2711 ElasticSearch servers have been attacked.” Many of the victims reside in the

USA, with a few outliers in Europe, China, and Singapore.

Messages like the following can be seen on the compromised servers asking for ransoms in the form

of Bitcoin payment:

Page 2: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

Credit: code972.com

About ElasticSearch

ElasticSearch is a distributed search engine operating on Apache Lucene and supports multi-user,

full-text search ability. It is written in Java and is currently an open source code applicable to Apache

licensing terms. Additionally, it is recognized as the second most popular enterprise-class search

engine (behind Apache Solr), and is often employed for information cataloging and data

analysis within cloud computing environments. ElasticSearch supports real-time search functionality,

stable performance benchmarks, and seamless configurations operability.

ElasticSearch Server Deployment

As per John Matherly, founder of the Shodan search engine, about 35,000 ElasticSearch servers on

the Internet are now facing serious security risks, of which the majority are being hosted by Amazon

Web Services.

According to ZDNet, there are approximately 59 servers in China currently compromised due to this

active exploit. Although, NSFOCUS Threat Intelligence (NTI) states that the number is in fact quite

higher. A suspected 1956 ElasticSearch servers operating out of China are at risk due to being

exposed to the Internet

ZDNet provides the following diagram illustrating the current ElasticSearch server distribution as of

January 13, 2017:

Credit: zdnet.com

Page 3: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

ElasticSearch Distributions by Region

ElasticSearch Distributions by Province

Page 4: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

In addition, NSFOCUS NTI detected 39,590 ElasticSearch servers distributed globally, that are exposed to

the Internet as shown below.

ElasticSearch Risk

An improperly configured ElasticSearch server exposes itself to serious vulnerabilities. The server is

often accessed via TCP (default port 9300) or HTTP (default port 9200). Unfortunately, an

ElasticSearch server's communication traffic is in plain text, and it is not encrypted. Moreover, there

are no secure authentication protocols in use to access an ElasticSearch server that is accessible via

the Internet. Anyone connecting to a port on the server can call related APIs to delete, modify, and

query arbitrary data on the server.

Protection Measures

The articles, "Don't be ransacked: Securing your ElasticSearch cluster properly" by ElasticSearch

consultant Itamar Syn-Hershko, and "Protecting Against Attacks that Hold Your Data for Ransom" by

ElasticSearch engineer Mike Paquette, respectively describe how to configure and deploy

ElasticSearch servers to prevent ransom attacks:

l Redeploy ElasticSearch servers on isolated networks: It is strongly recommended NOT to expose

ElasticSearch servers to the Internet. You can use network.bind_host or network.host to configure a

server to listen on private or local IP addresses only, but no on any Internet IPaddresses

l If a requirement exists to access an ElasticSearch server via the Internet, it is recommended to

ensure the following:

Page 5: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

Ø Ensure Firewall integration

Ø Use VPN connectivity

Ø Use proxy servers to the communication between the client and server. Moreover,

implementation of (AAA) authentication, authorization, and auditing is highly recommended.

Ø DO NOT use the default ports.

Ø Disable HTTP if the capability is not needed. The recommended deployment of ElasticSearch

is to configure server groups that support specific roles such as control nodes, data nodes, and

client nodes. Clients nodes are the only nodes that demand HTTP ability.

Ø Disable scripting unless it is necessary. Users of ElasticSearch 1.x and 0.x are advised to

upgrade as soon as possible. ElasticSearch 2.x uses Groovy as its default scripting language

and does not support sandbox functions. Users of ElasticSearch 2.x are advised to remove the

default scripting language from configurations.

Ø Employ official plug-ins: ElasticSearch 5.0 uses the X-Path plug-in for protection and

ElasticSearch before 5.0 can use the Shield plug-in.

l Back up all data via Curator snapshots.

Page 6: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

References

Syn-Hershko, I. (2017). Don't be ransacked: Securing your ElasticSearch cluster properly. Retrieved from:http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

Paquette, M. (2017). Protecting Against Attacks that Hold Your Data for Ransom. Retrieved from:

https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom

Page 7: ElasticSearch Hit by Ransom Attack-v3 - NSFOCUS …blog.nsfocusglobal.com/wp-content/uploads/2017/01/...©NSFOCUS 2017 ElasticSearch Hit by Ransom Attack Overview During the week of

©NSFOCUS 2017 http://www.nsfocusglobal.com

About NSFOCUS

NSFOCUS IBD is a wholly owned subsidiary of NSFOCUS, an enterprise application and

network security provider with operations in the Americas, Europe, Middle East, Southeast Asia,

and Japan. NSFOCUS IBD has a proven track record of combatting the increasingly complex

cyber threat landscape through the construction and implementation of multi-layered defense

systems. The company's Intelligent Hybrid Security strategy utilizes both cloud and on-premises

security platforms built on a foundation of real-time global threat intelligence to provide unified,

multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IBD, and NSFOCUS, INC. are trademarks or registered trademarks of

NSFOCUS, Inc. All other names and trademarks are property of their respective firms.

QR code of NSFOCUS at Sina Weibo QR code of NSFOCUS at WeChat