Ransom attack on Elasticsearch cluster?


(Xudong You) #1

Today I found that all indices on our Test ES cluster was removed and one new index "warning" was created there.

And I found following text from the raw index data:

SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS...

It is a tipical ransom attack on MongoDB recently:
https://www.bleepingcomputer.com/news/security/number-of-hijacked-mongodb-databases-is-going-up-as-more-hackers-are-flocking-in/

Anyone met same attack?


Indices all gone but i don't think i did it
My ElasticSearch Indexes have been mysteriously deleted, how do I debug the cause?
All shards are unassigned, no index name in _cat/shards
My ElasticSearch Indexes have been mysteriously deleted, how do I debug the cause?
Cluster getting deleted automatically
(Mark Walkom) #2

I know our Security product is comemrcial, but why would you place any datastore on the public internet?

Do you have backups?


(Xudong You) #3

It is a testing cluster for practicing and learning, so we simply allow internet access to endpoint.
We will definitely consider security on PROD cluster.


(Mark Walkom) #4

You don't care about your data?


(Xudong You) #5

No sensitive data on our test cluster.

Anyway this post is to remind others to be careful on their ES security :slight_smile:


(David Pilato) #6

Yeah. Thanks for sharing this. That can help others for sure.

Fortunately no one probably:

  • uses elasticsearch as the single source of truth for the data (single datastore)
  • exposes critical data directly on internet
  • with no security
  • with no backup

Well... let's hope that is true...


(Jörg Prante) #7

You can check on public IoT search engines like https://www.shodan.io/

Last time I looked there were thousands of open Elasticsearch servers reported. People never learn.


(Itamar Syn-Hershko) #8

For anyone interested, I wrote a blog post on how your clusters can and should be protected: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly


(Xudong You) #10

just curious, anyone know how does they hack? use script in query DSL?


(Christian Dahlqvist) #11

If the cluster is open to the internet and not secured in any way, you can simply read/modify/delete the data through the REST interface. No need for scripts of any kind.


(Itamar Syn-Hershko) #12

Yup, and then probably port scanning or using tools like https://www.shodan.io


(Bhavana) #13

Our ES cluster is also hacked . All the indices were removed and a warning message is shown . please suggest some security measures .

Thanks


Indexes dropped, please_read index found
(David Pilato) #14

Read https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom


Un invité surprise "please_read"!
Limitation on Shards
[1.7] mapping erased
#15

It's a shame that Elastic thinks data security is optional and doesn't include security modules as part of the default bundle. I understand that as an commercial entity, they have to generate revenue and shield is one of them. But most free to use products do not consider security as such. Before anyone says, stop cribbing, it's a free product, blah, blah and pay for it already, I will shut up :slight_smile:


#16

Shield is now replaced by X-Pack. But I cannot understand if it is free or I have to pay for it. Does anyone know something more about X-Pack?


(Mark Walkom) #17

The Security part of X-Pack is a commercial offering.


#18

Here's the problem:

  1. User finds out ES doesn't do authentication out of the box.
  2. User googles ES auth, finds X-Pack
  3. User installs X-Pack, auth starts to work.
  4. Trial license expires, user gets a free basic license
  5. Warning states that "some features" are subject to payment and not included in the basic license.
  6. ES is public again.

I appreciate that you guys put in an acknowledge mechanism so users have to ack that some features are not included in the basic license.

I do not appreciate that you do not mention clearly in your documentation that this pertains ALL AUTHENTICATION.

Here's what the documentation states:

https://www.elastic.co/guide/en/x-pack/current/license-expiration.html

# License [will expire] on [Friday, December 30, 2016]. If you have a new license, please update it.
# Otherwise, please reach out to your support contact.
#
# Commercial plugins operate with reduced functionality on license expiration:
# - security
# -- Cluster health, cluster stats and indices stats operations are blocked
# -- All data operations (read and write) continue to work
# - watcher
# -- PUT / GET watch APIs are disabled, DELETE watch API continues to work
# -- Watches execute and write to the history
# -- The actions of the watches don't execute
# - monitoring
# -- The agent will stop collecting cluster and indices metrics
# -- The agent will stop automatically cleaning indices older than [xpack.monitoring.history.duration]
# - graph
# -- Graph explore APIs are disabled

Notice the indentation underneath "- security"? (I added two dashes because the post formatter eats the extra space)
This indentation means "security" is listed as a category of items to be listed underneath. The two items ("Cluster health, cluster stats and indices stats operations are blocked", "All data operations (read and write) continue to work") do NOT adequately transport the message that this main feature of X-Pack is actually not working anymore.

Here's how you fix this: Either

a) Put up a big notice that makes it absolutely clear that authentication is not included in the free basic license, or
b) Consider adding auth to the free license tier. It is not something you can reasonably expect to charge money for. It is easily achieved via other means, so why not aim for robustness instead and offer everyone the benefits of a basic functionality like this. You may think it's a smart business idea, but to people outside your company it just looks like a cash grab.

We've been hit by this as well, but our data was easily reindexed. However, this just makes ES look immature. This would be an awesome time to turn this into a PR advantage, and react by adding auth support to either the free x-pack license, or even just include it in the main program.


(Daniel Arturo Gutiérrez Colorado) #19

My client has been hacked too, I'm reading your guide, thx Itamar!


(Daniel McGreal) #20
  • Reverse proxy to ES and do authentication there.
  • Setup firewall rules to only allow traffic from trusted IP addresses.
  • Tunnel via SSH
  • ...?

I don't see how anyone could miss that ES doesn't authenticate requests by itself. If you've put an ES endpoint on the public internet you only have yourself to blame when someone else accesses it.

I'm suspicious of your conclusion that licence expiry disables all authentication. It certainly doesn't seem to here, but I'm a little outdated in versions.


#21

dmjcgreal: Indeed, anyone putting up an ES instance without authentication on a public IP has to face the risk of someone else deleting stuff from it.

But do go ahead and try the latest version, install X-Pack (auth will work then), then install a basic license. You will have to acknowledge but it is easy to miss.

Thankfully, several solutions exist: There's an open source plugin for authentication which does not cost money, and you can also use nginx or haproxy to add basic auth to an ES instance. In general it's safest to not expose ES at all if you can help it.

And again, while there is a page buried somewhere that lists authentication as a paid feature, I would be helpful to include this information in the documentation as well - because that's the page you get if you google ES auth.