Friday, October 4, 2024
HomeCyber Security NewsHundreds of Poorly Secured Elasticsearch Database Targeted in Ransom Attacks

Hundreds of Poorly Secured Elasticsearch Database Targeted in Ransom Attacks

Published on

In a recently discovered malicious campaign, Hackers have targeted 450 Elasticsearch indexes that have been replaced with ransom notes as a result of poorly secured databases. 

In those ransom notes, hackers have demanded $620 to restore each index. In short, the total amount required amount that is demanded to restore everything is $279,000.

This malicious campaign was discovered by the security experts of Secureworks security firm. Over 450 requests for ransom payments were identified by Secureworks’ cybersecurity analysts. 

- Advertisement - EHA

In addition to setting a deadline for the payments, the threat actors threatened to double the amount if it was not paid in seven days. There is a possibility that the victims would lose their indexes if another week passes without receiving a paycheck.

Once payment is received, those who have paid the amount will be provided with a link to download their database. This link is said to help restore the data structure to its original form as soon as possible so that all of the data can be restored.

Ransom note

In exchange for access to the data, the note requests a payment of Bitcoin. There are a number of Elasticsearch indexes that exist on various versions of Elasticsearch and access to the indexes is not authenticated. 

The ransom notes were then stored as a feature in the ‘message’ field of an index that is known as ‘read_me_to_recover_database’, replacing the data stored in the databases.

More than 1,200 Elasticsearch databases containing the ransom note were discovered by researchers at CTU. 

Since the maximum number of the affected databases were hosted on cloud computing networks operated by cloud computing companies, it is not possible to determine the actual number of victims.

While the ransom payment is comparatively low according to the campaign size. There is no evidence that either wallet contained funds related to the ransomware and neither wallet appeared to have been used by the threat actor to transact any funds.

Campaign Outcomes

Similarly opportunistic attacks have occurred in the past and against other databases as well. To put it crudely, this type of malicious campaign is nothing new.

It is highly unlikely that the hackers will restore the contents of the database by paying them. Since the attacker would have a difficult and expensive time storing the data of so many databases, this isn’t a practical or economical solution.

Moreover, the security researchers have only tracked one bitcoin wallet address having received a payment on the Bitcoin ransom notes till now.

Several security mechanisms have to be implemented by organizations in order to ensure the integrity of internet-facing services and databases. 

One of the things that can be used for securing a database when remote access is needed, “multi-factor authentication” (MFA). 

As well as reviewing cloud providers’ security policies, it is important for companies to remember that data that is stored in the cloud is not automatically secured.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...