Hackers target Elasticsearch clusters in fresh malware campaign
Old versions of analytics tool could be used to spread cryptocurrency miners
Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be an attempt to spread malware on victims' machines.
Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads, according to a blog post by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.
Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.
Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.
"This is likely an attempt to make the exploit work on a broader variety of platforms," said researchers.
Researchers also saw a second hacker exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. "The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners," said researchers.
A third hacker was observed to download a file named "LinuxT" from an HTTP file server using exploits targeting CVE-2014-3120. hosts that attempted to download the "LinuxT" sample also dropped payloads that executed the command "echo 'qq952135763.'"
"This behaviour has been seen in elastic search error logs going back several years," said researchers.
Honeypots set up by researchers also detected additional hosts exploiting Elasticsearch to drop payloads that execute both "echo 'qq952135763'" and "echo '952135763,'" suggesting that the attacks are related to the same QQ account.
"However, none of the IPs associated with these attacks have been observed attempting to download the "LinuxT" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one," said researchers.
Researchers said that these Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. "Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe," warned researchers.
Organisations using Elasticsearch are urged to patch and upgrade to a newer version of Elasticsearch if at all possible.
2023 Strategic roadmap for data security platform convergence
Capitalise on your data and share it securely using consolidated platformsFree Download
The 3D trends report
Presenting one of the most exciting frontiers in visual cultureFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download