Thousands of insecure Elasticsearch servers are hosting point-of-sale malware, according to an analysis by Kromtech Security Center. In total, researchers found 15,000 insecure Elasticsearch servers with 27 percent (4,000) hosting the PoS malware strains Alina and JackPoS.
“The absence of authentication on some Elasticsearch servers allowed attackers to take full administrative control on the exposed instance,” wrote Bob Diachenko, Kromtech’s chief communication officer on Tuesday in a blog post outlining the research.
Review of this article
Authentication in elasticsearchElasticsearch authentication is handled in a separate project X-pack. This project ensures an access control, communications encryption with SSL and an audit trail to monitor who is accessing what.
This separate project is a problem, as it leaves the elastic search cluster with a default authentication process that is far from enough. The default is "No authentication". The developer who, for any reason, does not dig enough in the documentation leaves an elasticsearch cluster on default configuration.
Obviously, other projects have the same issue as MongoDB for example. This is a growing difficulty as these type of databases and systems are more and more used. A default configuration must be secure enough. Many developers do not have time or competencies to handle security by themselves.
Automatization of installation and configurationA good way to improve security is by automation. The process of elasticsearch installation and configuration is scripted and developed locally. Then, for production, the deploy is in 0-touch. No human intervention. There are many tools that can do that, as Ansible, Chef or Puppet.
Automation also is useful to handle correctly the integration and update in external ecosystems like Amazon Web Services.
It's also a needed step to ensure a good monitoring and reporting.