Elasticsearch is a search engine based on the Lucene library. Elasticsearch servers store databases which are queried using the Elasticsearch search engine. The documents stored in Elasticsearch are distributed across different containers known as shards, which are duplicated to provide redundant copies of the data in case of hardware failure. The distributed nature of Elasticsearch allows it to scale out to hundreds (or even thousands) of servers and handle petabytes of data.

FunctionData Storage & Retrieval

Notable Details

  • Customers should know where their databases are, especially those that are publicly exposed and at risk of being attacked.
  • On April 3, 2020, ZDNet reported that over the past two weeks a malicious actor has been wiping open and unsecured Elasticsearch Servers connected to the internet. The attack, according to ZDNet and Security Researcher John Wethington, appears to be scripted. The actor is scanning the internet for open and unsecure Elasticsearch instances and then attempting to delete the contents of the database. The attack is not always successful, but the actor has been able to deface or delete over 15,000 servers creating an empty index called “nightlionsecurity.com”.

Recent Vulnerabilities

  • Most Elasticsearch breaches occur due to configuration errors and lack of authentication put in place by the persons setting up their instances. Elasticsearch provides a built-in capability for authenticating users and securing instances, documentation for which is provided here.


RiskIQ detects Elasticsearch through routine mass scanning of the entire IPv4 address space and by crawling the Internet. Performing port scans across the Internet gives RiskIQ deep visibility into how the Internet changes. RiskIQ currently looks for over 110 unique ports across every system responsive online. Observations and metadata collected from these port scans are saved within the RiskIQ Internet Intelligence Graph and made available to customers. Additionally, RiskIQ crawls the Internet, inspecting website content for specific technologies.


Current Visibility: 190 Hosts and 164K IP addresses