12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists

  /     /     /  
Publicated : 23/11/2024   Category : security


12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists


The cloud instances were left open to the public Internet with no authentication, allowing attackers to wipe the data.



Cyberattackers are targeting misconfigured Elasticsearch cloud buckets exposed on the public Internet and stealing the wide-open data, then replacing it with a ransom note.
According to Secureworks Counter Threat Unit (CTU) researchers, more than 1,200 indexes have already been affected, with the attackers issuing 450 requests for Bitcoin payment in exchange for the return of the data. However, the ransom amounts are relatively low, researchers have pointed out: Taken together, all of the demands total just $280,000.
The average ransom request was approximately $620 payable to one of two Bitcoin wallets, they noted in a
Wednesday analysis
. As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms.
Despite the lackluster follow-through on the part of attackers thus far, the situation highlights a serious issue: Misconfiguration of databases placed in the public cloud has reached epidemic proportions, with large numbers of enterprises mistakenly leaving storage buckets from Amazon Web Services, Google Cloud, and Microsoft Azure accessible with no authentication to read or write the data.
Often, these open instances are
discovered by security researchers
and locked down without incident — but system misconfigurations still drove an estimated 13% of overall malicious system breaches recorded in the recent
Verizons 2022 Data Breach Investigations Report (DBIR)
, with misconfigured cloud storage instances making up the bulk of those.
Unsecured Elasticsearch instances are trivially easy to identify using the
Shodan search engine
, the CTU researchers noted. The threat actor probably used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note.
They added, the cost of storing data from 1,200 databases would be prohibitively expensive. It is therefore likely that the data was not backed up and that paying the ransom would not restore it.
In 2020, ESET researchers
uncovered a similar attack
that affected half of all exposed MongoDB instances, which were wiped and replaced with a ransom note.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists