After days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms. The first wave of attacks hit ElasticSearch server owners yesterday, with some of the victims complaining on the ElasticSearch forums. IT security experts from Imperva and AlienVault are commented below.
Terry Ray, Chief Product Strategist at Imperva:
“After 14 years in data security, I’m no longer surprised when speaking to organizations at the limited visibility that security, database administrators, and risk teams have as to who, how, and why entities touch their data.
There is no reason why a company with even a basic data security strategy should allow an administrator to access, much less delete all information from a database without some level of over-site or workflow controls. Since cloud-based NoSQL systems are relatively new, the experience of data scientists on these systems varies greatly. And, like almost all database systems, security configuration is not a priority.
I also find it interesting that the criminals here have decided that there is more money to be made by extortion than through the sale of the data on the dark web. But then again, even if a company pays the ransom, there is no guarantee that the hackers won’t also try to monetize the data. For the company, the real cost is the downtime associated with not being able to access critical systems. This is a prime example of why it is important to continuously monitor data where it lives and to block the actions of malicious actors.”
Javvad Malik, Security Advocate at AlienVault:
“Like MongoDB, the ElasticSearch attacks are not so much about the technologies themselves, but in the way people have implemented them using either default configurations or weak passwords.
It highlights the disconnect between many developers from good security practices. Appearing as if getting functionality working takes precedence over security.
With ransomware, criminals are financially incentivized to look for, and take advantage of these flaws in any popular application, device, or infrastructure that is exposed on the internet and organizations should take time to identify all their assets, and validate they can’t be compromised by a script looking for default or weak credentials.”