The Ransoming of Elasticsearch

Posted by Ben Hundley January 12, 2017

Early this morning, users around the world reported hacks of their unsecured Elasticsearch clusters. A data ransoming group attacked vulnerable clusters they found on cloud providers. This follows the widely reported instances of tens of thousands of MongoDB databases being ransomed last week. Copycats virally spread the ransoming, and the copycatting has now apparently spread to Elasticsearch.

The hackers responsible leave this note:

SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS p1l4t0s@sigaint.org

Elasticsearch Security vs. MongoDB Security

Given that Enterprise Search -- or the practice of making data searchable and discoverable and therefore not sensitive -- is a prime use case for Elasticsearch, perspective is important when comparing this to the MongoDB problem. During testing and development, there may be many good reasons to leave Elasticsearch open, but there are practically no good reasons to leave MongoDB open. In addition, almost no one uses Elasticsearch as a primary data store. Unlike MongoDB, Elasticsearch data is probably not the only copy of that data.

Still, you CAN put sensitive data on Elasticsearch, you CAN use Elasticsearch as a primary data store, and you CAN leave it unprotected. Due to the spread of ransoming, the practice of leaving Elasticsearch write-access unprotected should cease immediately.

Support to the Rescue!

A few Qbox customers had elected to create unsecured clusters in the past, in spite of ample warning of security risks. If you were affected, the Qbox support team has already contacted you by email, and we have made changes to ensure that no new clusters may be created without basic security credentials.

Related Post: How to Lock Down Elasticsearch, Kibana, and Logstash and Maintain Security

While this may be a foreign practice for some to embrace, we feel it is only a matter of time before these bad actors decide to feast on more open data. In the MongoDB case, there are instances of ransom notes demanding bitcoin being replaced by new ransom messages by different actors multiple times. There is truly no honor among thieves.

We hope this keeps you (and your data) safe and warm from now on.

There is More You Can Do

If you are self-hosting Elasticsearch, you should close the loophole immediately. If you haven’t already established a backup plan, you should do that immediately, too.

If your instance is compromised, it’s important that no one pay this ransom. If you did pay it, you would probably not see your data returned. These are criminals, after all, and paying a ransom would most likely result only in you being marked as an easy target.

As always, incidents like these highlight the need for the competent and expert management of your Elasticsearch infrastructure. If you are currently self-hosting, consider creating your Qbox cluster today.