Organizations often forget to implement standard procedures in protecting their assets on the Internet. These procedures, among others, include implementing the authentication and regularly performing Vulnerability Assessment and Penetration Testing (VAPT). Without these procedures in place, organizations’ assets are highly likely to become targeted by cyber attackers. Such an incident happened in 2020 when a cyber attacker targeted many MongoDB servers openly accessible on the Internet – MongoDB is a document-oriented database program used to store data. Consequently, the attacker downloaded the data and released a ransom note to the affected organizations.
Recently, the Cyble Research Lab discovered an anonymous attacker targeting Elasticsearch (ES) servers hosted on the Internet without having an authentication system in place. These ES servers contain corporate data. As a popular product used by many organizations, ES is written in Java programming language, JavaScript, transmitting structured data in web applications. Additionally, it is a JavaScript Object Notation (JSON) based analytics and search engine with a Hypertext Transfer Protocol (HTTP) web interface.
Analysis
As shown in Figure 1, Cyble researchers discovered publicly hosted and openly accessible ES while conducting routine Open-Source Intelligence (OSINT) work.
Figure 1 Elasticsearch (ES) search result on Shodan
As shown in Figure 2, Cyble researchers found a readme file with a note asking for ransom in exchange for data recovery on one of the ES servers. The ransomware note provides instructions for data recovery, as shown in Table 1.
Figure 2 Ransom note present on ES Servers.
| All your data is a backed up. You must pay 0.015 BTC to 1PpLEwVd35mrb7qzZtgNhkcF8JjxrsNEX5 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: allmydataback@mailnesia.com and you will receive a link to download your database dump. |
Table 1 Content of ransom note present on ES Servers.
As shown in Table 1, the attacker provided a crypto wallet address to the affected organization to pay the ransom in bitcoins within 48 hours, purchasable from the LocalBitcoins peer-to-peer bitcoin marketplace. Otherwise, the attacker threatened to report the breach to the General Data Protection Regulation (GDPR). After making the payment, the attacker would return the data to the affected organization via the provided contact.
As shown in Figure 3, after interacting with the few endpoints of the exposed ES server’s Application Programming Interface (API), Cyble researchers discovered the datastores’ presence in Gigabytes, publicly accessible without any authentication.
Figure 3 Index list from the ES Server
Cyble researchers were able to access the data from one of the indexes and discover it contained sensitive data, as shown in Figure 4.
Figure 4 The Content one of the Index’s
Furthermore, Cyble researchers have discovered that the same attacker targeted many other ES servers without an active authentication system in place. The attacker targeted these ES servers via an automated script which is leveraging the data provided by Shodan, a search engine that helps users find specific types of computers connected to the Internet using a variety of filters.
Our researchers have assessed that the attacker’s script tools might put in action as follows: once the script finds an ES server hosted on port “9200”, it tries to fetch the list of indexes by calling “/_cat/indices” API endpoints, as shown in Figure 3. Consequently, the attacker gets the list of indexes, iterates through each index, and then dumps the data using “/indexname/search,” as shown in Figure 4.
Figure 5 shows the flow diagram how the script might work for targeting the ES servers.
Figure 5 Flow Diagram Speculation about the attacker’s automated script
The attack which has happened in this case is similar to a typical ransomware attack. However, the difference from a typical ransomware attack is that the attacker has access to the files and requests a ransom to return the files. In the former case where the victim has a backup of the encrypted files, the victim can retrieve the files on its own. However, in the latter case of ransomware, it does not matter whether the organization has the files backup or not. The attacker can download all the data, release the data to the public, and inform the regulatory body if the affected organization fails to pay the ransom amount.
Cyble Research Lab has also identified that the same attacker having targeted many MongoDB servers hosted on the Internet without having an authentication system in place. We can see a similar message in the collection name “ReadME”, as shown in Figure 6.
Figure 6 Ransom Note present in MongoDB server
The Cyble Research Lab has included all the attacker’s BTC and Email address found in ransom note shown Table 2 and 3.
| Attacker’s BTC Address |
| 1PpLEwVd35mrb7qzZtgNhkcF8JjxrsNEX5 |
| 1ABZfAvaB11Aqg2EsvW7QePhmUbdLhFZN1 |
| 1LjmcZAiNEnZrNiGhw4VcNVCx4RUbjX9rJ |
| 18REeCxoZHiEQnz25c3hVXPNh5XeL65rpk |
Table 2 BTC address of Attacker
| Attacker’s Email ID |
| allmydataback@mailnesia.com |
| myDB33j@recoverme.one |
| recoverybase@cock.li |
Table 3 Email id of Attacker
Conclusion
Cyble researchers have seen multiple instances in the past wherein the attackers have been trying to exfiltrate data from openly available data servers via default credentials or exploits. This attack vector is still present today. Therefore, Cyble recommends that these servers holding such data must be monitored carefully.
Our Recommendations
- Do not make servers accessible to the public unless required.
- Enable strong authentication of ES servers on both GUI (Kibana) or APIs.
- Backup the data present in ES.
- Perform Vulnerability Assessment and Penetration Testing (VAPT) on such servers.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1078 | Valid Accounts |
| Collections | T1213 | Data from Information Repositories |
| Command and Control | T1567 | Exfiltration Over Web Service |
| Impact | T1485 | Data Destruction |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
