For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.
According to British security researcher
John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.
The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.
The attacking script doesn't appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.
However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.
