In this quick blog post we’ll see what LeakIX has indexed over this incident.
The service leaking the data was an unprotected Kibana instance running on port
5601 ( default Kibana port ).
Kibana is used to view data and administrate an Elasticsearch cluster and allows for proxied connections to the underlying Elasticsearch cluster.
At the time of the index, the endpoint was running version
5.5.3 of the ELK stack.
The certificate information we gathered indicates the service was running behind
This is the default Kibana endpoint exposed by AliBaba when an Elasticsearch service is deployed on a public network.
Alibaba’s documentation currently states that exposure of the endpoint to a public network will happen by default.
Lack of password protection
AliBaba’s documentation also states that a default username and password (
elastic/elastic) will be assigned to the ElasticSearch cluster.
However, we can see the Elasticsearch version that was exposed is actually
This look like a legacy Elasticsearch cluster version, which did NOT support authentication out of the box and required a paid license or a third-party authentication plugin to enable it.
An analysis of the running cluster features reveals that x-pack wasn’t installed on any of the 33 servers.
The first sign of external activity was detected around the 26th of June by our probes with the appearance of the following indices :
Found index contact_for_data with 0 documents (810 B) Found index recovery10btc with 0 documents (810 B) Found index your_data_is_safe with 1 documents (6.0 kB) Found index contact_for_your_data with 2 documents (11.2 kB) Found index read_note_for_details with 1 documents (6.0 kB)
This suggests at least 4 different groups got their hands on the cluster at that date.
Most of the data was also dropped, allegedly by the ransomware groupS.
Multiple ElasticSearch cluster deployed at Alibaba faced the same issue with older version of ElasticSearch all exposed if the default Kibana configuration was kept :
On the 1st of July, AliBaba has made private or has shutdown all the Kibana servers running
The oldest exposed endpoint is dated from
- CNN : Nearly one billion people in China had their personal data leaked, and it’s been online for more than a year
- Exposed 5.5.3 clusters
- Exposed server history
- Optional X-Pack plugin for security