Back at the end of March 2020, an information security specialist John vetington told ZDNet reporters that someone had launched a large-scale campaign to hack poorly protected Elasticsearch servers. So, an unknown attacker breaks into poorly protected Elasticsearch servers and tries to deface them or erase all their contents. At the same time, he is trying to lay blame for the deed on the American information security company Night Lion Security.
The first attacks were noticed on March 24, 2020 and, it seems, they are automated: the script scans the Internet for insecure Elasticsearch, connects to the database, tries to erase their contents, and then creates a new empty index called nightlionsecurity.com. For some reason, the attacking script does not work in all cases, but the nightlionsecurity.com index is present even in those databases where the content was ultimately left untouched. Due to the variable nature of the data stored on Elasticsearch servers, experts find it difficult to determine the exact number of affected systems.
Founder of Night Lion Security, Vinny Troia, denies that his company has anything to do with what is happening. In an interview with DataBreaches.netMarch 26, 2020, Troy said that, in his opinion, these attacks are carried out by a hacker, whom he has been following in recent years and which is the subject of his future book.
But if on March 26 the attacks still looked like someone’s joke, now the situation has noticeably worsened. According to the search engine BinaryEdge, currently the nightlionsecurity.com index is present on approximately 15,000 servers, while at the end of March there were only 150 of them. At the same time, BinaryEdge in total “sees” only 34,500 Elasticsearch servers accessible from the Internet.
Now Troya told ZDNet that he had already notified law enforcement about what was happening, as well as the journalists themselves contacted the Elastic security team, which is now also studying these attacks. In turn, John Vetington is busy compiling a list of servers that were affected by the attacks, and is trying to identify companies that might have experienced service outages.
Even worse, while exploring this campaign, Vetington discovered another hacker who also attacks the insecure Elasticsearch servers. This attacker leaves a message on the servers that informs that the server was hacked and encourages its owners to contact the hacker by e-mail. This message is currently found on 40 servers.