www.secureworks.com
Open in
urlscan Pro
2620:1ec:bdf::45
Public Scan
URL:
https://www.secureworks.com/blog/unsecured-elasticsearch-data-replaced-with-ransom-note
Submission: On June 20 via api from IN — Scanned from DE
Submission: On June 20 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>Text Content
Cookie Notice
This website uses cookies to help personalize and improve your experience. Learn
more by visiting our privacy policy. By Continuing to use this site, you are
consenting to the use of cookies.
Close
Accept Cookies
Cookie Settings
* Your Privacy
* Strictly Necessary Cookies
* Performance Cookies
* Functional Cookies
* Targeting Cookies
* More Information
Privacy Preference Centre
Active
Always Active
Save Settings
Allow All
* Emergency Incident Response
* Contact Us
* Events & Webinars
* Blog
* Support
* Login
Try Taegis XDR
* Search Secureworks
* Products
Extended Detection and Response
Managed Detection and Response
Vulnerability Management
Get Started
* Main Menu
* Products Overview
* Extended Detection and Response
* Taegis™ XDR
* Free Adversary Software Coverage Tool
* Managed Detection and Response
* Taegis™ ManagedXDR
* Taegis™ ManagedXDR Elite
* Vulnerability Management
* Taegis™ VDR
* Free VDR Buyer's Guide
* Get Started
* Request an XDR Demo
* Request a VDR Demo
* Free Trial
* * * * Meet Secureworks Taegis
* Extended Detection and Response
* Taegis™ XDR
* Free Adversary Software Coverage Tool
* Managed Detection and Response
* Taegis™ ManagedXDR
* Taegis™ ManagedXDR Elite
* Vulnerability Management
* Taegis™ VDR
* Free VDR Buyer's Guide
* Get Started
* Request an XDR Demo
* Request a VDR Demo
* Free Trial
* Services
Managed Services
Security Assessments & Testing
Incident Response & Readiness
Get Started
* Main Menu
* Services Overview
* Managed Services
* Taegis™ ManagedXDR
* Taegis™ ManagedXDR Elite
* Security Assessments & Testing
* Threat Hunting Assessment
* Application Security Testing
* Red Team Testing
* Penetration Testing
* Vulnerability Assessment
* Ransomware Readiness Assessment
* Incident Response & Readiness
* Incident Response Services
* Incident Management Retainer
* Emergency Incident Response
* Proactive Incident Response
* Get Started
* Talk to an Expert
* Request a Quote
* Emergency IR Hotline
* See All Services
* * * * Experienced a Breach?Contact Us Today
* Managed Services
* Taegis™ ManagedXDR
* Taegis™ ManagedXDR Elite
* Security Assessments & Testing
* Threat Hunting Assessment
* Application Security Testing
* Red Team Testing
* Penetration Testing
* Vulnerability Assessment
* Ransomware Readiness Assessment
* Incident Response & Readiness
* Incident Response Services
* Incident Management Retainer
* Emergency Incident Response
* Proactive Incident Response
* Get Started
* Talk to an Expert
* Request a Quote
* Emergency IR Hotline
* See All Services
* Why Secureworks
Industry Leader
Security Expertise
* Main Menu
* Why Secureworks Overview
* Industry Leader
* Industry Solutions
* Our Customers
* Awards
* Security Expertise
* Threat Intelligence Research
* Current Threat Analysis
* Practitioner Blog
* Let's Talk SOC Podcast
* * * * We Beat the Threat
* Industry Leader
* Industry Solutions
* Our Customers
* Awards
* Security Expertise
* Threat Intelligence Research
* Current Threat Analysis
* Practitioner Blog
* Let's Talk SOC Podcast
* Partners
Partner Programs
Technology Alliances
Get Started
* Main Menu
* Partners Overview
* Partner Programs
* Global Partner Program
* Solution Provider
* MSSP
* Cyber Risk Partner Program
* Technology Alliances
* Technology Alliance Partners Program
* Secureworks and AWS
* Secureworks and Mimecast
* Get Started
* Become a Partner
* Find a Partner
* Password Reset
* Partner Portal Login
* * * * Access our Partner Portal for collateral, certification, requests
for funds and more
* Partner Programs
* Global Partner Program
* Solution Provider
* MSSP
* Cyber Risk Partner Program
* Technology Alliances
* Technology Alliance Partners Program
* Secureworks and AWS
* Secureworks and Mimecast
* Get Started
* Become a Partner
* Find a Partner
* Password Reset
* Partner Portal Login
* Resources
Resources
Threat Research
Knowledge Centers
Browse by Topic
* Main Menu
* Resources Overview
* Resources
* Resource Library
* Webinars
* Industry Reports
* White Papers
* Data Sheets
* Case Studies
* Podcasts
* Blog
* Threat Research
* Threat Profiles
* Threat Analysis and Advisories
* Research & Intelligence
* Executive Reports
* Knowledge Centers
* What is Ransomware?
* What is XDR?
* Endpoint Security: Enhanced Visibility via XDR and EDR
* Cybersecurity Solutions
* View All...
* Browse by Topic
* Content Vault
* * * * Taegis™ XDR Adversary Software Coverage ToolAccess the Tool
* Resources
* Resource Library
* Webinars
* Industry Reports
* White Papers
* Data Sheets
* Case Studies
* Podcasts
* Blog
* Threat Research
* Threat Profiles
* Threat Analysis and Advisories
* Research & Intelligence
* Executive Reports
* Knowledge Centers
* What is Ransomware?
* What is XDR?
* Endpoint Security: Enhanced Visibility via XDR and EDR
* Cybersecurity Solutions
* View All...
* Browse by Topic
* Content Vault
* Company
About Us
The Press Room
Connect with Us
COVID-19: Stay Secure
* Main Menu
* Company Overview
* About Us
* Corporate Overview
* Office Locations
* Our Leadership
* Corporate Responsibility
* The Press Room
* Investor Relations
* In the News
* Events
* Press Releases
* Connect with Us
* Careers
* Partners
* Open Letter to Customers
* COVID-19: Stay Secure
* COVID-19 Resources
* Flexible Security Solutions
* * * About Us
* Corporate Overview
* Office Locations
* Our Leadership
* Corporate Responsibility
* The Press Room
* Investor Relations
* In the News
* Events
* Press Releases
* Connect with Us
* Careers
* Partners
* Open Letter to Customers
* COVID-19: Stay Secure
* COVID-19 Resources
* Flexible Security Solutions
* * Learning from Incident Response: 2021 Year in ReviewRead the Report
*
* Contact Us
* Events & Webinars
* Blog
* Support
* Login
Close
0 Results Found
* Products
* Products, Services & Solutions
* Insights
* About
* Contact
* Other
Back To Results
*
Close Try Taegis XDR
* Cybersecurity Threat Intelligence Blogs
* Unsecured Elasticsearch Data Replaced with Ransom Note
Research & Intelligence
UNSECURED ELASTICSEARCH DATA REPLACED WITH RANSOM NOTE
Security controls such as MFA can limit access to internet-facing databases.
Wednesday, June 1, 2022 By: Counter Threat Unit Research Team
*
*
*
*
Secureworks® Counter Threat Unit™ (CTU) researchers identified indexes of
multiple unsecured internet-facing Elasticsearch databases replaced with a
ransom note. The note demands a Bitcoin payment in exchange for the data (see
Figure 1).
Figure 1. Ransom note dropped on exposed Elasticsearch database. (Source:
Secureworks)
The indexes reside on various versions of Elasticsearch and require no
authentication to read or write. In each case, data held in the databases was
replaced with a ransom note stored in the 'message' field of an index called
'read_me_to_recover_database'. Inside the 'email' field is a contact email
address. CTU™ researchers identified four distinct email addresses used in this
campaign.
CTU researchers identified over 1,200 Elasticsearch databases that contained the
ransom note. It is not possible to determine the actual number of victims
because the vast majority of the databases were hosted on networks operated by
cloud computing providers. It is likely that some databases belong to the same
organization, but identifying specific victims was not possible in most cases.
The campaign is broad, but the ransom payment is comparatively low. CTU
researchers identified over 450 individual requests for ransom payments,
totaling over $280,000 USD. The average ransom request was approximately $620
payable to one of two Bitcoin wallets. As of this publication, both wallets are
empty and do not appear to have been used to transact funds related to the
ransoms.
While this campaign appears to be unsuccessful, it represents a risk to
organizations hosting data on internet-facing databases. Unsecured Elasticsearch
instances are trivially easy to identify using the Shodan search engine.
Instructions on how to identify unsecured Elasticsearch databases are available.
The threat actor probably used an automated script to identify the vulnerable
databases, wipe the data, and drop the ransom note. While the threat actor could
have used a tool like Elasticdump to exfiltrate the data, the cost of storing
data from 1,200 databases would be prohibitively expensive. It is therefore
likely that the data was not backed up and that paying the ransom would not
restore it.
This malicious activity is not unique to Elasticsearch. In 2020, third-party
researchers discovered that approximately half of exposed MongoDB instances were
wiped and replaced with a similar ransom note. Exploiting unsecured databases is
not limited to data theft and extortion campaigns. Threat actors seeking
sensitive information relating to specific organizations could easily build
searches that identify relevant data in the indexes of internet-facing
databases.
When a database requires remote access, organizations should implement
multi-factor authentication (MFA) to protect internet-facing services.
Organizations should also review cloud providers' security policies and not
assume that data is secured by default.
To detect the presence of this threat, CTU researchers recommend that
organizations use available controls to monitor the indicators listed in Table
1.
Indicator Type Context read_me_to_recover_database Filename Ransom note used in
Elasticsearch compromise b1ackcr0w@protonmail.com Email address Threat actor
contact information in Elasticsearch compromise babadasa@protonmail.com Email
address Threat actor contact information in Elasticsearch compromise
erbard@mailfence.com Email address Threat actor contact information in
Elasticsearch compromise erbard@tutanota.com Email address Threat actor contact
information in Elasticsearch compromise 3BppAJxB4BfZWkh1bnagtNaZJYvnw5nEFh
Cryptocurrency wallet ID Bitcoin account for Elasticsearch compromise ransom
payments 34ubNu53uXxeMjSR1xXdmECpst71CFZLNG Cryptocurrency wallet ID Bitcoin
account for Elasticsearch compromise ransom payments
Table 1. Indicators for this threat.
While MFA is a fundamental security control, it must be configured properly.
Learn how the Secureworks Adversary Group bypassed misconfigured MFA in an
organization’s environment.
Get real-world insight into emerging threats and trends. Read the 2021 Incident
Response Year in Review
Download Report
STAY INFORMED
Get the latest in cybersecurity news, trends, and research
SEND ME UPDATES
NOW TRENDING...
* The Long Road Ahead to Ransomware Preparedness
* EDR, XDR, MDR: Filtering Out the Alphabet Soup of Cybersecurity
* Minimize the Noise of Cybersecurity Alerts
* The Essential Cyber Defense Strategy Table
* IDC MarketScape: Worldwide Incident Readiness Services 2021 Assessment
Secureworks Taegis™ XDR
Transform your SOC effectiveness and improve efficiency.
3 Ways to Try Taegis XDR
LATEST REPORT
Reports
Learning from Incident Response: 2021 Year in Review
Tags:
* multi factor authentication
Enjoyed what you read? Share it!
*
*
*
*
RECOMMENDED CONTENT
Webinars
How Cybercriminals Are Adapting to Outwit Defenses and Rake in the Profits
Webinars
Is Ransomware Impacting Your Healthcare Organization?
Webinars
Ransomware Protection: Fighting Back Together
*
*
*
*
* Careers
* RSS Feed
* Email Subscription
* Sitemap
* Privacy Policy
* Supply Chain Transparency
* Terms & Conditions
* Accessibility Statement
* Dell Technologies
* Unsubscribe
* Cookie Settings
English
* 日本語
© 2022 Secureworks, Inc.
×
×