Elasticsearch Ransom Attack

Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets

As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies.

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

Evident.io takes these types of exploits in the wild very seriously. In order for our customers to identify, remediate and monitor for Elasticsearch domains with open access policies, we have released an Evident Security Platform (ESP) custom signature in our open-source repo: https://github.com/EvidentSecurity/custom_signatures/blob/master/elastic_search_open_access_policy.rb

We recommend that everyone that uses AWS Elasticsearch install and activate this ESP custom signature immediately. Instructions for creating a custom signature are here: http://docs.evident.io/#custom-signatures.

If you have any questions installing this custom signature, please email support@evident.io.

—The Evident.io Team

PS – Not yet an Evident.io customer? You can try ESP free for 14 days  and start securing your cloud infrastructure within minutes. Get started now to see if you have any high priority risks in your AWS environment.

About John Martinez

John Martinez, Principal Solutions Architect for Evident.io, has in-depth experience guiding development teams on AWS and other cloud platforms. He assists them in streamlining creation of cloud applications, optimizing AWS resource usage, and ensures that their AWS infrastructures are properly protected. John specializes in DevOps, automation and continuous solutions, and contributed to the creation of the CIS Foundations Benchmark for AWS Security.

More posts by John

Tags: , ,