Exposed cloud databases are probed within just hours of being set up, according to new research from Comparitech.
The firm’s security research team, headed by Bob Diachenko, has written many times of Elasticsearch servers left online but unsecured by organizations, putting them at risk of discovery by cyber-criminals.
However, to find out just how widespread black hat scanning for such exposed instances is, Comparitech decided to build a honeypot.
It left a database filled with fake data on an Elasticsearch instance, completely unsecured, for 11 days in May.
During that time it detected 175 unauthorized requests, which averages out to 18 attacks per day. The first one came just eight-and-a-half hours after deployment, days before the database was even indexed by popular IoT search engines Shodan and BinaryEdge. This illustrates how many hackers use proactive scanning tools, Comparitech said.
However, the largest number of attacks (22) on any one day came just after the instance was indexed by Shodan. In fact, two attacks came in just a minute after it was indexed.
Attacks came mainly from the US, Romania and China, and most were looking for more information about the database and its settings.
Some sought to exploit Elasticsearch vulnerabilities from 2015 to install cryptocurrency mining software, steal passwords and change the configuration of the server with a view to stealing and deleting all data.
A few days after the research concluded, the still-exposed honeypot was attacked by a malicious bot that deleted the contents of the database and replaced it with a ransom message.
Boris Cipot, senior security engineer at Synopsys, argued the research highlights just how little time organizations have to find and remediate any configuration errors in the cloud.
“We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices,” he added.
“I recommend that companies have procedures around provisioning resources and hold to them much like a pilot’s check list in preparation for take-off. This then leads to two important things: first, the creation of security policies and procedures and secondly, a check list that does not allow room for mistakes.”