The hackers behind recent attacks on MongoDB have now turned their attention to ElasticSearch, with the cyber crooks demanding similar ransoms for compromised servers.
The recent attacks against MongoDB wreaked havoc on a reported half of internet-facing MongoDB databases. Hackers looked for MongoDB installations on the internet and targeted those without a set administrator password. The hackers then took control of these unsecure accounts, deleted data and demanded a ransom for the return of said data.
Now the same hackers are using the same tricks to ransom ElasticSearch users, taking over weak password-protected servers available over the internet. Niall Merrigan, a security researcher who tracked the MongoDB attacks, has already reported that over 600 hosts have been hit in the extortion cyber attacks.
According to reports, a cyber gang going under the name P1l4tos is behind the attacks on both MongoDB and the Java-based search engine ElasticSearch.
At the core of these attacks is the administrative access, a basic security no-no which has been met with criticism from security experts.
“There is no reason why a company with even a basic data security strategy should allow an administrator to access, much less delete all information from a database without some level of over-site or workflow controls,” said Terry Ray at Imperva.
“Since cloud-based NoSQL systems are relatively new, the experience of data scientists on these systems varies greatly. And, like almost all database systems, security configuration is not a priority.”
The attacks on MongoDB and ElasticSearch also highlight the growing trend of hackers choosing extortion over dark web trades.
“I also find it interesting that the criminals here have decided that there is more money to be made by extortion than through the sale of the data on the dark web. But then again, even if a company pays the ransom, there is no guarantee that the hackers won’t also try to monetize the data,” said Mr Ray.