The other day we blogged about the ransomware attacks on MongoDB installations that are currently sweeping the web. It turns out that whilst they're at it the hackers are also trying their luck with ElasticSearch instances with the same kind of nefarious intentions.
ElasticSearch is both a search service and a downloadable application for developers to build and deploy rapid search functionality in their applications. It powers lots of autocomplete in forms and that kind of thing, it's basically a very quick search technology that cuts out a lot of the overhead that searching a traditional database would incur.
It turns out that these servers are also insecurely configured 'out of the box'. Thousands of installations, mostly on Amazon EC2 servers, are being discovered by simply port scanning and exposing an insecure Elastic installation.
Rather than send polite emails to the owners of these services recommending that they secure them the hackers are instead removing the search index data and replacing it with a ransom note asking for bitcoin payments in exchange for the data being returned.
Luckily the bulk of use cases for ElasticSearch would be as a form of secondary search where the data is sync'd from a central data store, this should make rebuilding the indexes a pretty trivial task so hopefully not too many companies and users will be burned by this. If anyone is using it in a mission critical system and has left it open to the internet like this then, well, they'd better be reaching for those bitcoins and having a bloody good think about how they've set this up.
The advice is to make sure that your servers aren't listening for connections and if they are they should be locked down with properly configured authentication. Best practice is really to remove these instances from public view and access them via proxies within your application code, rather than accessing them directly from your front end code.
Gavin Phillips
Cowshed:Works
