MongoDB hackers now sacking ElasticSearch

Open season on open services


It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances.

Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.

So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.

Affected ElasticSearch administrators are greeted in one actor's attacks with a message reading:

"Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins p14t0s@sigaint.org (sic)."

Amazon is reportedly shipping emails warning of the risks of exposed services.

The MongoDB ransom attacks, in which data is erased and returned only after payment, have escalated so sharply that at least one security boffin is offering affected companies free assistance.

The successful method is a threat to many open services. The Australian Communications and Media Alliance through its Australian Internet Security Initiative (AISA) has reported scores of open services including some 400 exposed Australian-based MongoDB databases.

It reports about 550 exposed ElasticSearch servers each day, 100 more than exposed MongoDB databases.

Much riskier open Intelligent Platform Management Interfaces are higher, with AISA reporting a consistent 1400 exposed services a day, a number which would be much higher if HTTP and HTTPS interfaces were included.

Security boffins say those exposed services are "seriously scary" and are likely to be popular platforms such as Dell, IBM, and HP, many of which have default credentials; Dell's Remote Access Controllers were found to all ship with default credentials of root and calvin. Popping those could grant access to large fleets of servers, software and operating system upgrades, and other administrative tasks [PDF].

MongoDB defended its database saying it was secure. It has since posted advice on how administrators should lock down their exposed installs. ®


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Amazon not happy with antitrust law targeting Amazon
    We assume the world's smallest violin is available right now on Prime

    Updated Amazon has blasted a proposed antitrust law that aims to clamp down on anti-competitive practices by Big Tech.

    The American Innovation and Choice Online Act (AICOA) led by Senators Amy Klobuchar (D-MN) and House Representative David Cicilline (D-RI) is a bipartisan bill, with Democrat and Republican support in the Senate and House. It is still making its way through Congress.

    The bill [PDF] prohibits certain "online platforms" from unfairly promoting their own products and services in a way that prevents or hampers third-party businesses in competing. Said platforms with 50 million-plus active monthly users in the US or 100,000-plus US business users, and either $550 billion-plus in annual sales or market cap or a billion-plus worldwide users, that act as a "critical trading partner" for suppliers would be affected. 

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022