The vast network of Elasticsearch servers that are left unprotected with a password is being targeted and wiped by an unknown hacker. Further, he’s indexing a security firm in all his attacks, as a trace to divert researchers. Though the security firm listed denied its involvement, that hacker has compromised over 15,000 servers to date with an automated script.
Scan – Breach – Wipe
Elasticsearch is a full-text search engine based on Lucene library. It’s a wide network of thousands of servers are being attacked since March 24th, as per ZDNet. Since then, the attacker, who’s still unknown yet, was intruding and attacking every day on Elasticsearch servers. With just over 150 servers being wiped till March 26th, this seemed like a prank in the beginning, but he continued to over attack over 15,000 servers to date.
All the servers being attacked were unprotected, as with no passwords and just exposed on the internet. These were scanned targeted and intruded as Elasticsearch found cut off log in entries everyday since March 24th. Making this more interesting is the indexing of the cybersecurity firm’s URL as nightlionsecurity.com. Researchers are finding out those companies which may have impacted by this wiping and inform the issue.
Diverting Blame
Night Lion Security’s founder Vinny Troia, denied any association with the hacker who’s wiping servers. In an interview with DataBreach.net, he explained about being aware of the ongoing server attacks and assumes of a hacker who Vinny is following for years. That hacker is even the subject of the upcoming Vinny’s book. These reasons may make up track Vinny and allege him with Elasticsearch wiping incidents.
A search in BinaryEdge by ZDNet revealed over 34,500 Elasticsearch servers being exposed to the public with unprotected passwords. Besides this, there’s even a second hacker attacking Elasticsearch servers too. This secondary attack is minimal when compared to wiping, as he’s just breaching into those unprotected servers and leaving a message to victims for contacting him. This could turn into a ransomware attack soon.
Via: ZDNet
