For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.
According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.
The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.
The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.
However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.
Night Lion Security denies any involvement
In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.
In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.