Unsecured Elasticsearch Clusters Have Been Compromised

Unsecured Elasticsearch Clusters Have Been Compromised


The owners of Elasticsearch clusters began reporting on January 12, 2017 that their databases had been wiped and their indexes had been replaced by a single index demanding payment to a specified wallet in order for the user to recover the database. Elasticsearch is a distributed, RESTful search and analytics engine.

Vulnerable Versions

Any publicly accessible Elasticsearch cluster

Indicators of Compromise

The disclosed compromise can be identified by a modified index containing a ransom note requesting payment to recover the database.

Mitigation

Remove public access to the Elasticsearch cluster. If a cluster must be accessible over the Internet, restrict access via a firewall, VPN, or other technology should be implemented.

Threat Intelligence

We assess that the risk posed by this vulnerability is high if the Elasticsearch cluster is publicly accessible.

Additional information can be found at: