In the last two weeks, an unidentified hacker has been able to enter Elasticsearch servers (an open source search engine with wide distribution and fast scalability) without authentication and remove their internal content, while trying to make a name during the operation. Leave a cyber security company as a footprint. The attacks on Elasticsearch’s servers began on March 24, and security researcher John Whittington was one of the people who discovered and identified the malicious activity. According to the investigation, the attacks were carried out with the help of an automatic script, which scanned and identified ElasticSearch systems that were active on the Internet without authentication, then connected to the relevant database and tried to erase their content. In the last step, it created a new “empty” index called Nightlionsecurance.com.
When the research became more extensive, we found that the attacker’s script did not work properly in all cases, because the index nightlionsecurity.com also contained databases whose content remained intact.