Monday, 06 June 2022 01:40

Secureworks CTU publishes research on new threat campaign targeting unsecured Elasticsearch databases Featured

0
Shares
By Secureworks

Secureworks Counter Threat Unit (CTU) researchers have identified indexes of multiple unsecured internet-facing Elasticsearch databases replaced with a ransom note. The note demands a Bitcoin payment in exchange for the data.

The indexes reside on various versions of Elasticsearch and require no authentication to read or write. In each case, data held in the databases was replaced with a ransom note stored in the 'message' field of an index called 'read me to recover database'. Inside the 'email' field is a contact email address. CTU researchers identified four distinct email addresses used in this campaign.

CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. It is not possible to determine the actual number of victims because the vast majority of the databases were hosted on networks operated by cloud computing providers. It is likely that some databases belong to the same organisation, but identifying specific victims was not possible in most cases.

The campaign is broad, but the ransom payment is comparatively low. CTU researchers identified over 450 individual requests for ransom payments, totaling over US$280,000. The average ransom request was approximately US$620 payable to one of two Bitcoin wallets. As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms.

While this campaign appears to be unsuccessful, it represents a risk to organisations hosting data on internet-facing databases. Unsecured Elasticsearch instances are trivially easy to identify using the Shodan search engine. Instructions on how to identify unsecured Elasticsearch databases are available.

This malicious activity is not unique to Elasticsearch. In 2020, third-party researchers discovered that approximately half of exposed MongoDB instances were wiped and replaced with a similar ransom note. Exploiting unsecured databases is not limited to data theft and extortion campaigns. Threat actors seeking sensitive information relating to specific organisations could easily build searches that identify relevant data in the indexes of internet-facing databases.

When a database requires remote access, organisations should implement multi-factor authentication (MFA) to protect internet-facing services. Organisations should also review cloud providers' security policies and not assume that data is secured by default.

Read 73 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under

Related items

More in this category: « VMware adds Contexa threat intelligence to its stack Eset launches Eset NetProtect »
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top