NightLion worm retaliates on Night Lion Security for disrupting them

July 7, 2022
NightLion Worm Retaliates Night Lion Security Disrupting Threat Gangs

Threat actors have been attempting to force an act of virtual revenge using a worm dubbed NightLion against a cybersecurity firm called Night Lion Security after they published writing that revealed the secrets of several hacking gangs.

The researchers attributed Night Lion Security to a cyberattack campaign against organisations because the firm’s name was used to name the malicious worm.

 

Based on reports, the NightLion worm targets publicly accessible unauthenticated Elasticsearch servers and trashes portions of the databases.

 

Subsequently, the worm leaves a readme note stating that the Night Lion security group executes the malicious activity and that they have deleted troves of data.

The readme note further elaborates that if the victimised company needs to recover their data, they must pay an x amount of money to Night Lion Security. The message also includes the website URL and contact number of the Night Lion Security group.

NightLion’s accessed unauthenticated Elasticsearch servers have reached many countries and companies globally.

The researchers discovered that the NightLion worm accessed more than 800 openly accessible unauthenticated Elasticsearch servers. The most infected servers came from the United States, with approximately 200 Elasticsearch. China follows with about 180 servers, then Germany, France, and Singapore.

However, a separate researcher only tagged some of these databases as infected.

Unfortunately, some of these databases include critical datasets that expand as large as 10 gigabytes. The last active status affected nearly 900 IP addresses from May to June.

The history of this attack goes way back to March two years ago. The “thedarkoverlord” attackers have wiped-out public-facing Elasticsearch servers allegedly and left a note stating the name NightLionSecurity[.]com. The worm single-handedly voided over 15 thousand Elasticsearch servers and deployed the Night Lion Security information as a greeting card.

The adversaries may have probably automated the identification and targeting of mistreated Elasticsearch servers. Therefore, organisations should focus on protecting and securing these servers as they hold massive troves of information. Moreover, these entities should keep in mind that the information contained by these servers can be used by threat actors for malicious purposes if not properly maintained.

About the author