Researchers at Secureworks’ Counter Threat Unit (CTU) have identified indexes of multiple Internet-facing Elasticsearch databases that a ransom note has replaced.
The CTU says the note demands a Bitcoin payment for the data. It tells us the indexes are on different versions of Elasticsearch and don’t require authentication to read or write.
CTU researchers identified more than 1,200 Elasticsearch databases containing the ransom note. However, they say it is impossible to determine the number of victims, as most databases were hosted on networks operated by cloud computing providers.
They say it is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.
CTU researchers identified four different email addresses used in this campaign. In each case, the database data was replaced by a ransom note stored in the ‘message’ field of an index called ‘read_me_to_recover_database’. The CTU says the “email” field contained a contact email address.
They say the campaign is broad, but the ransom is relatively low. There were more than 450 individual ransom requests worth more than $280,000. The average ransom request was about $620, payable to one of the two Bitcoin wallets.
But CTU researchers say both wallets are currently empty and do not appear to have been used for trading funds related to the ransom. They say that while this campaign seems to be unsuccessful, it poses a risk to organizations hosting data on Internet-facing databases.
CTU researchers say insecure Elasticsearch instances are easy to identify with the Shodan search engine, and instructions for identifying uncertain Elasticsearch databases are available.
They say the threat actor likely used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note. While the threat actor could have used a tool like Elasticdump to exfiltrate the data, storing data from 1,200 databases would be expensive. CTU researchers say that the data was likely not backed up and that paying the ransom would not restore it.
In 2020, outside researchers found that about half of the exposed MongoDB, instances had been wiped and replaced with a similar ransom note. The CTU says exploiting unsecured databases is not limited to data theft and extortion campaigns.
It says threat actors seeking sensitive information about specific organizations can quickly set up searches that identify relevant data in the indexes of Internet-facing databases.
The CTU says that organizations should implement multi-factor authentication (MFA) when a database requires remote access to protect internet-facing services. Organizations should also review the security policies of cloud providers and not assume that data is protected by default.