Contacted via twitter ( https://twitter.com/TrellApp )
Contacted  Bimal Kartheek Rebba (Co-founder) through LinkedIn

No reply on any media.

Escalating to local CERT and hosting provider.

Email from: 202110091402578b0bd7b865484f68895c2d5b4c80p0na@bounces.amazon.com

Hello,

We've received your report concerning unwanted content hosted on Amazon Web Services. In investigating this content, we've determined that it is currently managed by a user of our network. While the IP address of the material may indicate that the network is ours, the user is actually the one controlling the content in question.

We understand your concern regarding the availability of this content. As a courtesy we have notified our customer of your request to have the content removed or access disabled, however, at this time, we are not able to take additional action.

We request that you work directly with our customer if you have any further concerns by using the contact details provided on the site in question. If there is no contact information available, please note that AWS’ privacy policy prohibits us from disclosing customer details without a binding court order.

We apologize for any inconvenience this may cause. For any other abuse related issues, please do not hesitate to contact us at ec2-abuse@amazon.com.

Best Regards,
AWS Trust & Safety
Amazon Web Services, LLC

Case number: 57396688136

Your original report:

* Log Extract:
<<<
Title
Elasticsearch cluster exposing PII

Researcher report

Exposure

An Elasticsearch cluster containing Trell.co data has been found open the internet.

Impact

The full user/posts database of trell.co is availalbe for download, including user emails.

{"_id":"163680687","_index":"users","_score":null,"_source":{"Followers":316771,"Following":1,"Handle":"ninukusumbabu","Id":163680687,"Name":"Ninu Kusum Babu","TrailViews":80661571,"Trails":86,"UserAvatar":"https://cdn.trell.co/w=200,h=200,fit=smart/user-images/avatar/ddnJU33nX4JPbrZtsXCD8si4OiXMZwKY.jpeg","UserEmail":"<redacted>123@gmail.com"},"_type":"users","sort":[76459213]}

Resolution

The database is open an widely scanned port. Closing the port should be done ASAP to avoid data leak.

Related events

Host Port Source Country Priority Infected Leak rows Leak size

13.127.207.84
9200
elasticsearch
India
high
false
80,694,469
rows
19.4 GB

Report created by BloodyShell on Mon, 04 Oct 2021 09:08:30 UTC

>>>

* Comments:
<<<

>>>

Email from: incident@cert-in.org.in

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ref: CERTIn-83300221
- --------------------------------

Dear Sir/Madam,

Thank you for reporting to CERT-In.

We have registered your complaint/incident under Ref: CERTIn-83300221 .

We are in process of taking appropriate action with the concerned
authority.

- --
Thanks and Regards,

CERT-In

Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: 1800-11-4949
FAX: 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

On 09/10/21 06:42 PM,
55dc9737-567b-4a90-8aa6-dbd08951408b+lj66T8F1IK@reports.leakix.net wrote:
>
> Dear Trell.co,
>
> Security researcher BloodyShell has identified a security issue in your
> infrastructure through our prevention platform. The issue has been
> confirmed by our team and it's priority is critical.
> This is a free prevention report and not a sales attempt.
>
> Please use this email address (
> 55dc9737-567b-4a90-8aa6-dbd08951408b+lj66T8F1IK@reports.leakix.net ) for
> further communications with the involved parties.
>
> This report has been dispatched to [support@trell.in
> incident@cert-in.org.in abuse@amazonaws.com] Report ID
> 55dc9737-567b-4a90-8aa6-dbd08951408b
> Owner Trell.co
> Title Elasticsearch cluster exposing PII
> Researcher report
> Exposure
>
> An Elasticsearch cluster containing Trell.co data has been found open the
> internet. Impact
>
> The full user/posts database of trell.co is availalbe for download,
> including user emails.
> {"_id":"163680687","_index":"users","_score":null,"_source":{"Followers":
> 316771,"Following":1,"Handle":"ninukusumbabu","Id":163680687,"Name":"Ninu
> Kusum
> Babu","TrailViews":80661571,"Trails":86,"UserAvatar":"https://cdn.trell.c
> o/w=200,h=200,fit=smart/user-images/avatar/ddnJU33nX4JPbrZtsXCD8si4OiXMZw
> KY.jpeg","UserEmail":"<redacted>123@gmail.com"},"_type":"users","sort":[7
> 6459213]} Resolution
>
> The database is open an widely scanned port. Closing the port should be
> done ASAP to avoid data leak. Related events
> Host Port Source Country Priority Infected Leak rows Leak size
> 13.127.207.84 9200 elasticsearch India high false 80,694,469 rows
> 19.4 GB Report timeline
> Report created by BloodyShell on Mon, 04 Oct 2021 09:08:30 UTC
> Report edited by BloodyShell on Mon, 04 Oct 2021 09:09:11 UTC
> Report approved by BloodyShell on Mon, 04 Oct 2021 09:11:21 UTC
> New PDF report generated by system on Mon, 04 Oct 2021 09:11:22 UTC
> Report dispatched to support@trell.in by system on Mon, 04 Oct 2021
> 09:11:22 UTC BloodyShell commented on Mon, 04 Oct 2021 13:16:31 UTC
>
> Contacted via twitter ( https://twitter.com/TrellApp )
> Contacted Bimal Kartheek Rebba (Co-founder) through LinkedIn
>
> New PDF report generated by system on Mon, 04 Oct 2021 13:16:35 UTC
> Report comment dispatched to support@trell.in by system on Mon, 04 Oct
> 2021 13:16:35 UTC BloodyShell commented on Sat, 09 Oct 2021 13:13:59 UTC
>
> No reply on any media.
>
> Escalating to local CERT and hosting provider.
>
> New PDF report generated by system on Sat, 09 Oct 2021 13:14:00 UTC
> Report comment dispatched to support@trell.in by system on Sat, 09 Oct
> 2021 13:14:00 UTC Report edited by BloodyShell on Sat, 09 Oct 2021
> 13:14:23 UTC
> New PDF report generated by system on Sat, 09 Oct 2021 13:14:24 UTC
> LeakIX prevention team
> support@leakix.net
> https://leakix.net/

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 620)
Charset: utf-8

wsFVAwUBYWGz5CFWwMC2INC0AQgZkxAAiUth53p4nYPePJGkjyN96+C0+BKCj4bf
dLiDKwG4W4wYuPA/vyM6DcMfN+JU6FUDYzW86OyXE2bA16i5iJNmmhh+Vzs0WCiZ
92cDYt/0UWS18nEE94I/j3+Uf4Onk+RoxKbi8SvhEf6uonQQxJKsNi+mD61H5Qwp
tkV4xOgIh7V1XwNspYZBy5sCoHYYp00wYlP8nBWWyvxmy38opg7fByP59bTQjk1A
SssFFrl2q9ToBYCae8aQ3Xzfh1OGW1c1/GU2hlfM9gq+hiZ2QurKvkhjqYkxhGWx
AK7Em9fSkjQU517E5lxGnlphyCHhtwSnSo+BK4GsCwZRadjBD6/Uhd+lX+1e5zYQ
wLK1OGU+cY+sizDZc/7PNMM0XcyUVPEoM6gnymZpG02OPCugakdUHSglNeNGB2UV
Rsgwh0ZeBwWIiYk8HJVJyBOf1Qn8I8qOMAqmpz5R4D0EObKVbAzdw4/w6d1hZoij
QpYEWO8G1RUSleYoeEts0oipUAyG1lIhbih+OLyNXN9EnCI+4Xta/3bex0Yv2zcg
HqMYTJ76lqR8UL6HagGgpfBmqMTMgJNHqX/9pqUfefJf9FMiSv5W26GIKBdor1Rx
D8yNcDXdcfN7Q1taiVQ4b3dIBrXm7k+ZEFMAmZOaUAptgroTQGNNBLuBMJy0QdYj
7GNkCDsxc+I=
=YCZk
-----END PGP SIGNATURE-----

The `users` index has been altered multiple times.

- 70M
- 0
- 58M without emails

It is unclear who made the modifications but removal of emails in not enough, this port  should be `closed` and or firewalled as any attacker could alter said database or use it for stats collection.

Server is now unreachable.

Well keep monitoring for a week before disclosure.