It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances.
Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.
So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.
Affected ElasticSearch administrators are greeted in one actor’s attacks with a message reading:
“Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins [email protected] (sic).”
Amazon is reportedly shipping emails warning of the risks of exposed services.
The MongoDB ransom attacks, in which data is erased and returned only after payment, have escalated so sharply that at least one security boffin is offering affected companies free assistance.
The successful method is a threat to many open services. The Australian Communications and Media Alliance through its Australian Internet Security Initiative (AISA) has reported scores of open services including some 400 exposed Australian-based MongoDB databases.
It reports about 550 exposed ElasticSearch servers each day, 100 more than exposed MongoDB databases.
Much riskier open Intelligent Platform Management Interfaces are higher, with AISA reporting a consistent 1400 exposed services a day, a number which would be much higher if HTTP and HTTPS interfaces were included.
Security boffins say those exposed services are “seriously scary” and are likely to be popular platforms such as Dell, IBM, and HP, many of which have default credentials; Dell’s Remote Access Controllers were found to all ship with default credentials of root and calvin. Popping those could grant access to large fleets of servers, software and operating system upgrades, and other administrative tasks [PDF].
MongoDB defended its database saying it was secure. It has since posted advice on how administrators should lock down their exposed installs.