Cyberattackers are targeting misconfigured Elasticsearch cloud buckets exposed on the public Internet and stealing the wide-open data, then replacing it with a ransom note.
According to Secureworks Counter Threat Unit (CTU) researchers, more than 1,200 indexes have already been affected, with the attackers issuing 450 requests for Bitcoin payment in exchange for the return of the data. However, the ransom amounts are relatively low, researchers have pointed out: Taken together, all of the demands total just $280,000.
“The average ransom request was approximately $620 payable to one of two Bitcoin wallets,” they noted in a Wednesday analysis. “As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms.”
Despite the lackluster follow-through on the part of attackers thus far, the situation highlights a serious issue: Misconfiguration of databases placed in the public cloud has reached epidemic proportions, with large numbers of enterprises mistakenly leaving storage buckets from Amazon Web Services, Google Cloud, and Microsoft Azure accessible with no authentication to read or write the data.
Often, these open instances are discovered by security researchers and locked down without incident — but system misconfigurations still drove an estimated 13% of overall malicious system breaches recorded in the recent Verizon’s 2022 “Data Breach Investigations Report” (DBIR), with misconfigured cloud storage instances making up the bulk of those.
“Unsecured Elasticsearch instances are trivially easy to identify using the Shodan search engine,” the CTU researchers noted. “The threat actor probably used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note.”
They added, “the cost of storing data from 1,200 databases would be prohibitively expensive. It is therefore likely that the data was not backed up and that paying the ransom would not restore it.”
In 2020, ESET researchers uncovered a similar attack that affected half of all exposed MongoDB instances, which were wiped and replaced with a ransom note.