Learning from Incident Response — Get the latest insights from the cyber trenches
Unsecured Elasticsearch Data Replaced with Ransom NoteSecurity controls such as MFA can limit access to internet-facing databases. By: Counter Threat Unit Research Team
Secureworks® Counter Threat Unit™ (CTU) researchers identified indexes of multiple unsecured internet-facing Elasticsearch databases replaced with a ransom note. The note demands a Bitcoin payment in exchange for the data (see Figure 1).
Figure 1. Ransom note dropped on exposed Elasticsearch database. (Source: Secureworks)
The indexes reside on various versions of Elasticsearch and require no authentication to read or write. In each case, data held in the databases was replaced with a ransom note stored in the 'message' field of an index called 'read_me_to_recover_database'. Inside the 'email' field is a contact email address. CTU™ researchers identified four distinct email addresses used in this campaign.
CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. It is not possible to determine the actual number of victims because the vast majority of the databases were hosted on networks operated by cloud computing providers. It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.
The campaign is broad, but the ransom payment is comparatively low. CTU researchers identified over 450 individual requests for ransom payments, totaling over $280,000 USD. The average ransom request was approximately $620 payable to one of two Bitcoin wallets. As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms.
While this campaign appears to be unsuccessful, it represents a risk to organizations hosting data on internet-facing databases. Unsecured Elasticsearch instances are trivially easy to identify using the Shodan search engine. Instructions on how to identify unsecured Elasticsearch databases are available.
The threat actor probably used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note. While the threat actor could have used a tool like Elasticdump to exfiltrate the data, the cost of storing data from 1,200 databases would be prohibitively expensive. It is therefore likely that the data was not backed up and that paying the ransom would not restore it.
This malicious activity is not unique to Elasticsearch. In 2020, third-party researchers discovered that approximately half of exposed MongoDB instances were wiped and replaced with a similar ransom note. Exploiting unsecured databases is not limited to data theft and extortion campaigns. Threat actors seeking sensitive information relating to specific organizations could easily build searches that identify relevant data in the indexes of internet-facing databases.
When a database requires remote access, organizations should implement multi-factor authentication (MFA) to protect internet-facing services. Organizations should also review cloud providers' security policies and not assume that data is secured by default.
To detect the presence of this threat, CTU researchers recommend that organizations use available controls to monitor the indicators listed in Table 1.
|read_me_to_recover_database||Filename||Ransom note used in Elasticsearch compromise|
|firstname.lastname@example.org||Email address||Threat actor contact information in Elasticsearch compromise|
|email@example.com||Email address||Threat actor contact information in Elasticsearch compromise|
|firstname.lastname@example.org||Email address||Threat actor contact information in Elasticsearch compromise|
|email@example.com||Email address||Threat actor contact information in Elasticsearch compromise|
|3BppAJxB4BfZWkh1bnagtNaZJYvnw5nEFh||Cryptocurrency wallet ID||Bitcoin account for Elasticsearch compromise ransom payments|
|34ubNu53uXxeMjSR1xXdmECpst71CFZLNG||Cryptocurrency wallet ID||Bitcoin account for Elasticsearch compromise ransom payments|
While MFA is a fundamental security control, it must be configured properly. Learn how the Secureworks Adversary Group bypassed misconfigured MFA in an organization’s environment.