Thousands of Kibana implementations using Elasticsearch are exposed online

ElasticZombie Botnet - Exploiting Elasticsearch Vulnerabilities

Working with large amounts of data without taking the necessary security steps can pose a huge risk to any organization. According to the ethical hacking training experts from the International Institute of Cyber Security (IICS), unprotected databases significantly increase the chances of a company being a victim of a data breach.

For example, more than 50% of data breach cases registered in 2018 originated from unprotected database implementations, in other words, implementations to which any minimally knowledgeable user could access, even without needing a password.

An organization’s databases may contain extremely sensitive information, ethical hacking training experts mentioned; that is why threat actors have begun to focus their efforts on finding vulnerable or unprotected access points. Reports have recently emerged on some unprotected instances of Kibana exposed on the Internet, a situation that threatens the operations of multiple companies.

Kibana is an open source analytics and visualization platform designed to run with Elasticsearch; Kibana makes it easy for data analysts to quickly and easily understand the complex flows and logs of large data groups using graphical expressions.

According to the ethical hacking training experts, there are about 25k Kibana instances active online; out of these, most are exposed without adequate protections. Apparently, this is because Kibana does not have built-in security options, such as session management, although these functions can be integrated through services provided by third parties.

A significant portion of the nearly 25k instances of Kibana that exist work with servers running obsolete software versions that contain an arbitrary file-including vulnerability in the console plugin.

Presumably, the vulnerability allows hackers to remotely execute malicious JavaScript code, which could allow them to execute arbitrary commands on the host system. Because a large number of servers do not have authentication methods, this could be the first step for massive data breach to occur, one of the most critical situations a company could face.

To mitigate risks, experts recommend protecting exposed instances with third-party authentication methods while tracking and analyzing data to prevent or detect possible leaks.