Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

MongoDB hackers now sacking ElasticSearch

Open season on open services

It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances.

Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.

So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.

Affected ElasticSearch administrators are greeted in one actor's attacks with a message reading:

"Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins p14t0s@sigaint.org (sic)."

Amazon is reportedly shipping emails warning of the risks of exposed services.

The MongoDB ransom attacks, in which data is erased and returned only after payment, have escalated so sharply that at least one security boffin is offering affected companies free assistance.

The successful method is a threat to many open services. The Australian Communications and Media Alliance through its Australian Internet Security Initiative (AISA) has reported scores of open services including some 400 exposed Australian-based MongoDB databases.

It reports about 550 exposed ElasticSearch servers each day, 100 more than exposed MongoDB databases.

Much riskier open Intelligent Platform Management Interfaces are higher, with AISA reporting a consistent 1400 exposed services a day, a number which would be much higher if HTTP and HTTPS interfaces were included.

Security boffins say those exposed services are "seriously scary" and are likely to be popular platforms such as Dell, IBM, and HP, many of which have default credentials; Dell's Remote Access Controllers were found to all ship with default credentials of root and calvin. Popping those could grant access to large fleets of servers, software and operating system upgrades, and other administrative tasks [PDF].

MongoDB defended its database saying it was secure. It has since posted advice on how administrators should lock down their exposed installs. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like