Thailand’s largest mobile network was leaking customer internet records in real-time

Another ElasticSearch cloud database exposed in the wild

Thailand’s biggest mobile operator has pulled an unprotected cloud server that exposed the internet activity of its customers in real-time.

The server, which belonged to AWN, a subsidiary of AIS, a mobile phone operator with 39.87 million customers in Thailand, was live-leaking customer DNS query and NetFlow logs.

The ElasticSearch database was discovered by security researcher Justin Paine on 7 May, by which point it had been publicly accessible for almost a week.

In a blog post detailing the incident, Paine wrote that anyone who discovered the server could easily “paint a picture” of how the mobile network’s users travelled the internet.

Paine tried and failed to alert AWN about the exposed server, independently and then with TechCrunch journalist Zack Whittaker. In the end, the pair went direct to Thailand’s National CERT team (ThaiCert) who managed to get hold of the network and get the database secured on May 22.

During the three-week period the database was adding 200 million new rows of data everyday. By the time it was secured, 8.3 billion documents were stored on the 4.7 TB database.

The server contained a combination of NetFlow data and DNS query logs. NetFlow data tracks the different types of traffic sent to a destination IP by a source IP (e.g. person, device or house), and how much data was transferred. DNS query logs contain the DNS requests made by single source IP.

Armed with this information, a hacker could easily determine a household’s internet-connected devices, the browsers they use, the websites they visit and how frequently they visit them.

According to DivvyCloud, nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019. ElasticSearch misconfigurations accounted for 20 percent of all breaches and 44 percent of all records exposed.

Paine, who has discovered 9 such leaks over the past year, said ElasticSearch should make its server creation settings more secure by default.

“Obviously if the person setting up these tools is determined to put them on the public Internet there’s no way to prevent that,” he said. “That being said, these tools could display a gigantic warning banner that alerts users if the tool is detected to be publicly accessible without authentication and make the user acknowledge they understand the risk and implications of that.”