Researchers from Secureworks' Counter Threat Unit (CTU) have identified indexes of multiple internet-facing Elasticsearch databases replaced with a ransom note.
The CTU says the note demands a Bitcoin payment in exchange for the data. It says the indexes reside on various versions of Elasticsearch and require no authentication to read or write.
CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. However, they say it is impossible to determine the actual number of victims because most of the databases were hosted on networks operated by cloud computing providers.
They say it is likely that some databases belong to the same organisation, but identifying specific victims was not possible in most cases.
In each case, data held in the databases was replaced with a ransom note stored in the 'message' field of an index called 'read_me_to_recover_database'. The CTU says inside the 'email' field was a contact email address. CTU researchers identified four distinct email addresses used in this campaign.
They say the campaign is broad, but the ransom payment is comparatively low. There were more than 450 individual requests for ransom payments, reaching more than USD $280,000. The average ransom request was approximately $620, payable to one of two Bitcoin wallets.
But CTU researchers say both wallets are currently empty and do not appear to have been used to transact funds related to the ransoms. They say while this campaign appears to be unsuccessful, it represents a risk to organisations hosting data on internet-facing databases.
CTU researchers say unsecured Elasticsearch instances are easy to identify using the Shodan search engine, and instructions on identifying unsecured Elasticsearch databases are available.
They say the threat actor likely used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note. While the threat actor could have used a tool like Elasticdump to exfiltrate the data, the cost of storing data from 1,200 databases would be very expensive. CTU researchers say it's likely the data was not backed up and that paying the ransom would not restore it.
The CTU says this malicious activity is not unique to Elasticsearch.
In 2020, third-party researchers discovered that approximately half of exposed MongoDB instances were wiped and replaced with a similar ransom note. The CTU says exploiting unsecured databases is not limited to data theft and extortion campaigns.
It says threat actors seeking sensitive information relating to specific organisations could quickly build searches that identify relevant data in the indexes of internet-facing databases.
The CTU says when a database requires remote access, organisations should implement multi-factor authentication (MFA) to protect internet-facing services. Organisations should also review cloud providers' security policies and not assume that data is secured by default.