Specialists from an iOS pentesting course report that, over the most recent days, a hacker has been improperly breaking into Elasticsearch servers exposed on the Internet to remove their content, blaming a cybersecurity company. John Wethington, a cybersecurity expert who has been following up on the case, says I played off on March 24.
Apparently, the hacker behind this campaign has been using an automated script to scan the Internet for these protections-less Elasticsearch deployments, connecting to the databases to delete the content, and finally creating a new index (with no content) with the name nightlionsecurity.com. This index has also been found in some Elasticsearch deployments with intact content, so specialists believe the attack does not work in all cases.
The name of the index left by the hacker was immediately linked to Night Lion Security, a cybersecurity firm that teaches an iOS pentesting course. In this regard, Vinny Troia, founder of the company, says Night Lion has nothing to do with these attacks. In a later interview, Troia claims that these attacks are the responsibility of a hacker he has been investigating for years, who may be exacting revenge for a book Troia wrote.
Although at first many members of the cybersecurity community regarded these attacks as a joke, this is no longer funny. So far, at least 15,000 Elasticsearch deployments have been known; this is not the only concern in the community, as at least 35,000 Elasticsearch servers are known that might be exposed.
Researchers from an iOS pentesting course experts and security firms have already notified Elasticsearch as well as the competent authorities; the company is in the process of implementing some measures to mitigate the scope of these attacks.
As if that wasn’t enough, the International Institute of Cyber Security (IICS) has identified a second threat actor by attacking Elasticsearch deployments. The hacker (or group of hackers) behind this campaign compromises the security of the databases to leave a message informing administrators that they have been hacked, further leaving an email address to agree a payment in exchange for resetting access. Only 40 cases related to this campaign are known, although it is not ruled out that the number will increase in the coming days.