MongoDB hackers set sights on ElasticSearch servers with widespread ransomware attacks

Mere days after thousands of MongoDB databases were hit by ransomware attacks, cybercriminals have set their sights on ElasticSearch servers, according to reports.

Hackers have reportedly hijacked insecure servers exposed to the internet with weak and easy-to-guess passwords. ElasticSearch is a Java-based search engine, commonly used by enterprises for information cataloguing and data analysis.

According to security researcher Niall Merrigan, who has been monitoring the attacks, the cybercrimianls are currently closing in on around 3,000 ElasticSearch servers. Merrigan told: "We found the first one on the 12th of Jan and then started tracking the different IOCs (Indicators Of Compromise). The first actor has levelled off and looks like it has stopped. However, a second and third actor have joined in and are continuing to compromise servers. Attackers are finding open servers where there is no authentication at all. This can be done via a number of services and tools. Unfortunately, system admins and developers have been leaving these unauthenticated systems online for a while and attackers are just picking off the low hanging fruit right now."

The recent MongoDB attacks saw hackers demand ransom and erasing data to ensure victims' compliance. In the ongoing ElasticSearch attacks, the cybercriminals demand a ransom of 0.2 Bitcoins. However, according to Merrigan, $20,000 in Bitcoins have already been paid by victims of the MongoDB attack. Despite paying the ransom, the victims have not received their data back. "So in this case it is a scam," the researcher said.

He added: "Unfortunately we are seeing escalations of the attacks as more groups join the fray. It will not get any better, I think, so people should be proactively checking their systems. If you are unsure of what to do, use a service such as Shodan and check your IP address to see what potential attackers can see about your external facing systems. Seeing what others see about your systems should be enough of an incentive to lock them down."

Javvad Malik, Security Advocate at AlienVault, told: "With ransomware, criminals are financially incentivised to look for, and take advantage of these flaws in any popular application, device, or infrastructure that is exposed on the internet and organisations should take time to identify all their assets, and validate they can't be compromised by a script looking for default or weak credentials."