Hackers have been locating unprotected Elasticsearch servers exposed on the internet faster than search engines can index them, new research from Comparitech has found.
A so-called ‘honey pot’ experiment tempted more than 150 unauthorised requests to a fake database with the first coming under 12 hours from being exposed.
Javvad Malik, Security Awareness Advocate at KnowBe4 commented that exposed servers are a huge concern & are responsible for exposing a ‘large number’ of records on a near daily basis worldwide.
Malik observed “It’s why it’s important that organisations have a strong security culture embedded throughout the organisation so that through each department, there are robust security controls in place.
“For example, for Elasticsearch servers, organisations should ensure that servers are only accessible remotely once users have been securely authenticated, the data has been encrypted, and there is monitoring in place to detect when there is any access. Additionally, assurance controls should regularly test that the required security is in place and operating as expected.”
The Comparitech’s research team explained that the Elasticsearch server was left exposed on the web from May 11 until May 22 attracting around 18 attacks per day.
Robert Ramsden-Board, VP EMEA, at Securonix explained that the research shows just how ‘opportunistic’ attackers are & that there are unfortunately “no holds barred when it comes to finding these databases” on the internet.
Ramsden-Board further then warned: “Servers should never be left without authentication or a password. This is just basic cyber-security hygiene, but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence.
“Leaked data can expose customers to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, ‘catfishing’ & blackmail to harassment, phishing & fraud.
“This research should serve as a lesson that leaving a database exposed for any amount of time on the internet is unacceptable & therefore, stringent measures should be put in place to ensure it doesn’t happen.”
Research showed it took search engines like BinaryEdge until May 21, & Shodan until May 16 to index the system, while hackers began to probe within just 8 hours & 30 minutes.
Martin Jartelius, CSO at Outpost24 explained “We’ve seen this time and time again – companies using Elasticsearch for analytics or big data projects & making ‘careless’ mistakes in the misconfiguration.
“To prevent this scenario, companies must ensure they have the security process & controls in place to assess & be alerted of potential misconfigurations on a continuous basis.
“With GDPR, privacy & security need to be taken seriously. It is upsetting to note that these unprotected servers are being found so regularly – almost as if there is a lack of even trying.”
This study also disclosed that most attacks came from the US (89), Romania (38), & China (15), though this was somewhat unreliable, as attackers can hide their true IP address using proxy services.
Jamie Akhtar, CEO & Co-Founder of CyberSmart observed that the research on Elasticsearch servers reveals the ‘power of basic cyber-hygiene practice’ to protect against attack.
Akhtar also observed “By enabling two-factor authentication or using strong passwords, businesses & employees could prevent unauthorised access to an Elasticsearch server – & potentially devastating attacks.
“The UK’s Cyber Essentials scheme is a great blueprint for cyber hygiene with its 5 security control areas which is why we encourage SMEs to follow it. These are relatively simple security moves- making sure security settings are enabled & software is up-to-date- but they make a big difference.”
David Kennefick, Product Architect at Edgescan commented that data breaches as a result of misconfigured infrastructure/databases occur “more often than we’d like to think”.
“Organisations should consider monitoring their environment continuously in order to be able to spot these exposures so they can be locked down & removed from global access as soon as possible.
Azure & AWS
“Services such as Azure & AWS have an automatic control that locks down machines & servers in the form of enforced security groups, meaning that, to leave a database exposed, users would have to go out of their way to configure settings to expose them. Misconfigurations usually happen when teams are managing technologies that do not have these types of controls enabled by default.
“It is important not to assume that the service you are using is secure — it is better to double-check, test & take a little longer to create your environment securely than to accidentally leave sensitive information exposed & open to all sorts of attacks & legal liabilities.”
A good many attacks wished to mine for cryptocurrency by using an old vulnerability (CVE-2015-1427), where several IP addresses were utilised, but had a common download source for the mining script.