Several sources have recently released reports of ransomware attacks affecting MongoDB, Elasticsearch, Hadoop, and CouchDB instances. The attacks are targeting these platforms which are open to the Internet and use default configurations. 

Vendor Announcements:

External Articles:

 

How Can I Tell If I've Been Affected?

Potential Indicators: 

  • Missing data indices (Elasticsearch)
  • A new index warning created asking for bitcoins to be sent to a particular location (Elasticsearch)
  • The addition of a collection called "bitcoin" (MongoDB)
  • Missing directories (Hadoop)
  • Wiping data (CouchDB)
  • Ransom demand left in place (CouchDB)

 

Recommendation

Regardless of which hosting provider you use, we strongly suggest that you follow security best practices to reduce your attack surface for MongoDB, Elasticsearch, Hadoop, and CouchDB. In addition, we recommend that customers regularly review all public-facing services and either reduce their network exposure or harden the applicable configuration. 

Vendor Sources:

External Sources:

 

 

 

Additional Sources: