"Thousands of Unprotected Elasticsearch Databases Are Being Ransomed"

Researchers with Secureworks reported a new cybercrime campaign in which many unsecured Internet-facing Elasticsearch instances are being used to steal databases and display a ransom note requesting a ransom to be paid to get the database back. The Secureworks Counter Threat Unit (CTU) identified four email addresses responsible for the compromise of more than 1,200 different databases. As the ransom text is always the same, all the databases were likely compromised by the same threat actor. The precise number of impacted organizations remains unclear because most of the databases were hosted on cloud provider networks and some databases most likely belong to the same organization. Although the campaign is large, the threat actor does not appear to have met much success. Secureworks found that the attackers use two Bitcoin wallets, with one of them showing only two transactions totaling roughly $600 at the time of reporting. This article continues to discuss the targeting of Elasticsearch databases in ransom attacks, the threat posed by unsecured databases, and recommendations for bolstering database security.

TechRepublic reports "Thousands of Unprotected Elasticsearch Databases Are Being Ransomed"