Thursday, March 28, 2024

Hundreds of Poorly Secured Elasticsearch Database Targeted in Ransom Attacks

In a recently discovered malicious campaign, Hackers have targeted 450 Elasticsearch indexes that have been replaced with ransom notes as a result of poorly secured databases. 

In those ransom notes, hackers have demanded $620 to restore each index. In short, the total amount required amount that is demanded to restore everything is $279,000.

This malicious campaign was discovered by the security experts of Secureworks security firm. Over 450 requests for ransom payments were identified by Secureworks’ cybersecurity analysts. 

In addition to setting a deadline for the payments, the threat actors threatened to double the amount if it was not paid in seven days. There is a possibility that the victims would lose their indexes if another week passes without receiving a paycheck.

Once payment is received, those who have paid the amount will be provided with a link to download their database. This link is said to help restore the data structure to its original form as soon as possible so that all of the data can be restored.

Ransom note

In exchange for access to the data, the note requests a payment of Bitcoin. There are a number of Elasticsearch indexes that exist on various versions of Elasticsearch and access to the indexes is not authenticated. 

The ransom notes were then stored as a feature in the ‘message’ field of an index that is known as ‘read_me_to_recover_database’, replacing the data stored in the databases.

More than 1,200 Elasticsearch databases containing the ransom note were discovered by researchers at CTU. 

Since the maximum number of the affected databases were hosted on cloud computing networks operated by cloud computing companies, it is not possible to determine the actual number of victims.

While the ransom payment is comparatively low according to the campaign size. There is no evidence that either wallet contained funds related to the ransomware and neither wallet appeared to have been used by the threat actor to transact any funds.

Campaign Outcomes

Similarly opportunistic attacks have occurred in the past and against other databases as well. To put it crudely, this type of malicious campaign is nothing new.

It is highly unlikely that the hackers will restore the contents of the database by paying them. Since the attacker would have a difficult and expensive time storing the data of so many databases, this isn’t a practical or economical solution.

Moreover, the security researchers have only tracked one bitcoin wallet address having received a payment on the Bitcoin ransom notes till now.

Several security mechanisms have to be implemented by organizations in order to ensure the integrity of internet-facing services and databases. 

One of the things that can be used for securing a database when remote access is needed, “multi-factor authentication” (MFA). 

As well as reviewing cloud providers’ security policies, it is important for companies to remember that data that is stored in the cloud is not automatically secured.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles