New research has uncovered the speed at which cybercriminals will discover unprotected servers online.

Technology researchers at Comparitech recently identified that hackers could locate exposed web based Elasticsearch servers at a faster rate than they could be indexed by search engines. The research also indicated that cybercriminals are mostly focusing on stealing credentials and cryptocurrency mining when they make their attacks.

The experiment involved establishing a server containing a fake database and rendering it exposed. Over 150 unauthorised requests were recorded with the initial request occurring under 12 hours after exposure.

A barrage of attacks

The research team at Comparitech, headed up by Bob Diachenko, rendered the Elasticsearch server utterly exposed online for a total of 11 days after setting it live on May 11. During this period, the server averaged around 18 attacks per day.

While it took search engines such as Shodan until May 16 to index the system, and BinaryEdge even longer (until May 21), hackers proved far faster. Attacks came quickly with initial probes beginning only eight and a half hours after the server was first deployed.

The machine was hit over 36 times before it was indexed by search engines indicating that many cyber attackers do not wait until servers appear within public resources, but instead actively scan the web to track them down. Once it had been indexed by threat actors, it took only a minute for attacks to hit the machines. The highest number of server requests on a single day was 22.

Comparitech researchers did, however, admit that a portion of the requests could potentially have been issued by security researchers seeking open servers but stated that distinguishing between them and hackers was not easy.

Hacker tactics and goals uncovered

The study showed that the majority of attacks were from the United States followed by Romania and China. However, attackers are able to disguise their real IP addresses using proxy services, so this data may be inaccurate. Findings garnered from the experiment also showed that hackers were not merely attacking to steal data. Comparitech commented:

“Some wanted to hijack servers to mine cryptocurrency, steal passwords, and destroy data.”

Out of the attacks witnessed by Comparitech, many of the hackers were seeking to mine cryptocurrency via exploiting an older but well-known vulnerability (CVE-2015-1427) in order to install their miner. While the attacks used numerous different IP addresses, they all shared the same mining script download source.

Another common incidence was the server’s passwords being stolen by also using CVE-2015-1427 along with another previously used bug known to impact Elasticsearch, CVE-2015-5531 to acquire the password file for the machine.

A more complex attack involved the server’s configuration being altered to delete data inside and requests for ransoms of up to $550 in bitcoin following the act of destruction.

Elasticsearch servers left unprotected have been the cause of data leaks involving billions of files belonging to millions of individuals and enterprises. Data harvested in this way can often be part of a wider attack campaign and used in targeted phishing emails, identity theft and account hijacking.