More than 15,000 Elasticsearch servers attacked by a hacker without authentication

In the last two weeks, an unidentified hacker has been able to enter Elasticsearch servers (an open source search engine with wide distribution and fast scalability) without authentication and remove their internal content, while trying to make a name during the operation. Leave a cyber security company as a footprint. The attacks on Elasticsearch’s servers began on March 24, and security researcher John Whittington was one of the people who discovered and identified the malicious activity. According to the investigation, the attacks were carried out with the help of an automatic script, which scanned and identified ElasticSearch systems that were active on the Internet without authentication, then connected to the relevant database and tried to erase their content. In the last step, it created a new “empty” index called

When the research became more extensive, we found that the attacker’s script did not work properly in all cases, because the index also contained databases whose content remained intact.