Elasticsearch Ransomware


TLDR:

  1. Use X-Pack if you can,
  2. Do not expose your cluster to the internet,
  3. Do not use default configurations e.g. ports,
  4. Disable http if possible,
  5. If it must be internet facing: run behind a firewall, reverse proxy – Nginx (see example config), VPN etc,
  6. Disable Scripts,
  7. Regular back-up of your data with curator if you are not already.

 

Well, we all see that coming, didn’t we?  Once MongoDB started being ransom by criminals other No-SQL type technologies are surely on queue to follow. Now Elasticsearch Ransomware, no surprise neither that most Elasticsearch clusters are open to the internet.  Goes without saying even secure ones are mostly behind week/guessable passwords, default ports with unneeded http enabled.

The attackers are currently empting out clusters with a note left behind for payment:

 “Send 0.2 BTC (bitcoin)to this wallet xxxxxxxxxxxxxx234235xxxxxx343xxxx  if you want recover your database! Send to this email your service IP after sending the bitcoins xxxxxxx@xxxxxxx.org”

Rest assured if your are using elastic cloud you will be protected by their default shield/x-Pack protection.  To protect your self hosted cluster, the team at Elastic have posted a guide here.  Such a guide really should not be news to any Elasticsearch admin! If it is then action is nigh!

There is also a detailed step by step guide on all things securing your Elasticsearch cluster: “Don’t be ransacked: Securing your Elasticsearch cluster properly” by Itamar Syn-Hershko

So far its been mostly Amazon exposed services.  But the same Elasticsearch Ransomware techniques against an unsecure (wrongly configured) Elasticsearch instance can be applied to any other hosted/self Elasticsearch service.

Spoilt with what national game to watch this evening?


Denmark v England:

Wilshere

Wilshere

Am I really going to be bothered to waste another two hours of my life seeing an all star England team put up another embarrassing performance. Simply, NO!!!

There are multiple of other choices to enjoy the evening.

19:30 Cyprus ? – ? Romania
20:15 Denmark ? – ? England
20:30 Holland ? – ? Austria
20:30 Malta ? – ? Switzerland
20:30 Norway ? – ? Poland
20:45 Germany ? – ? Italy
20:45 Scotland ? – ? Northern Ireland
21:00 Argentina ? – ? Portugal
21:00 France ? – ? Brazil
21:30 Spain ? – ? Colombia

Only one exciting thing I expect from the England game:  Arsenal’s Jack Wilshere debut; a sterling performance to signal why the England team needs to take on board new young talent and let go off the current expensive, egomaniac and shameful past heroes.

 

My eyes would be on Spain Vs Colombia instead!