For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.
According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.
The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.
The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.
However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.
Night Lion Security denies any involvement
In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.
In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.
But while the attacks looked like a prank on March 26, they’re not funny anymore. From the roughly 150 defaced Elasticsearch servers at the time of the first interview, the number of Elasticsearch servers where the nightlionsecurity.com index is now present has risen to more than 15,000, according to a BinaryEdge search.
The number is quite large, considering that the same BinaryEdge lists a total of 34,500 Elasticsearch servers that are directly exposed on the public internet.
Troia said he notified law enforcement about the attacks.
ZDNet has also reached out to the Elastic security team, who is now also looking into the growing number of attacked servers.
Wethington is currently compiling a list of servers impacted by this attack, trying to identify companies that might have had services disrupted.
Furthermore, while looking into this issue, Wethington also identified a second hacker who is also targeting Elasticsearch servers. This attacker is breaking into unsecured servers and leaving a message telling victims they’ve been hacked and urging them to reach out via email. Currently, only 40 servers have this message, suggesting the attack is small in scale.
However, these types of destructive attacks were Elasticsearch data is wiped are not the first of their kind. In the spring and summer of 2017, multiple hacker groups engaged in database ransom attacks against multiple types of database technologies, including Elasticsearch.
Thousands of Elasticsearch servers had data wiped in 2017, and ransom messages left behind, inviting owners to pay ransom requests to recover their data — with victims unaware that the data was never stolen or backed up by the attacker, but merely deleted.
Article updated on April 4, 8:35pm ET, to clarify that Troia’s book has already been released.