Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Elasticsearch Servers Latest Target of Ransom Attacks

An estimated 35,000 Elasticsearch clusters exposed to the public Internet are potential victims to a series ransom attacks that have already hit over 33,000 MongoDB databases.

An estimated 35,000 Elasticsearch clusters exposed to the public Internet are potential victims to a series ransom attacks that have already hit over 33,000 MongoDB databases.

The attacks, which security researchers Victor Gevers and Niall Merrigan call a “ransack,” have been ongoing for the past several weeks, but targeted only MongoDB databases until late. To conduct the attack, adversaries discover exposed, insecure databases, (supposedly) steal their contents, and then demand a ransom to return the data.

Given that multiple hackers joined the campaign in an attempt to cash in on the existence of databases that haven’t been properly secured, 34,000 MongoDB instances had been impacted as of Thursday. Victor Gevers, the researcher who first discovered the attack, told SecurityWeek earlier this week that all of the insecure databases could be ransacked within the next couple of weeks, or earlier.

Now, it appears that the attackers have expanded their targets to Elasticsearch instances, with over 600 hosts hit to date. Ransomware has already proven a highly profitable business for many, and it’s no wonder that crooks are looking for a wider attack surface, given that the MongoDB space is becoming crowded.

According to a tweet from John Matherly, founder of Shodan, there are approximately 35,000 Elastic servers exposed to the Internet, and that number certainly looks highly appealing to any hacker. The majority of these servers are on Amazon Web Services‎, and the company has already started sending out emails to warn customers about the attack, it seems.

What’s yet uncertain is whether the Elasticsearch ransack campaign was started by actors involved in the MongoDB massacre or not. Based on information posted by victims, the modus operandi is certainly identical: insecure instances are hacked and data replaced with a note informing the owner to send payment to a Bitcoin address and then email the attacker to retrieve the data.

As Elastic explains, “Elasticsearch is a distributed, RESTful search and analytics engine” that “centrally stores your data.” Unlike MongoDB instances, which offer no form of security by default, Elasticsearch installations bind to localhost by default, thus keeping them away from unauthorized access.

With an increasing number of unsecured, Internet-accessible instances popping up, and with all of them being potential targets for ransom attacks, owners should consider securing them as soon as possible. Elastic has already published a blog post to signal the risk of leaving servers exposed to the Internet and to provide instructions on how to secure them.

While running Elasticsearch on an isolated non-routable network is ideal, the company admits that there are instances where the cluster has to be accessible over the Internet. In such cases, Elastic says, admins should restrict access to the cluster via firewall, VPN, reverse proxy, or other technology. Customers using Elastic Cloud aren’t affected, the company says.

Itamar Syn-Hershko, Elastic consulting partner, also provides details on what can be done to secure clusters. What’s more, he explains why some of the actions that admins take, or settings they go for, aren’t always a good idea from a security point of view.

“Whatever you do, never expose your cluster nodes to the web,” he says. “Your cluster should never-ever be exposed to the public web,” he continues.

While only insecure MongoDB and Elasticsearch installations appear to have been targeted so far, it might not be too long before other types of databases start being attacked as well. As BinaryEdge found a while ago, over 1 petabytes of data is exposed online due to misconfigured Redis (REmote DIctionary Server), MongoDB, Memcached, and Elasticsearch installations.

Related: 33,000 Databases Fall in MongoDB Massacre

Related: Honeypot Catches 8,000 Attempts to Exploit Critical Elasticsearch Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...