IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target Elasticsearch clusters in fresh malware campaign

Old versions of analytics tool could be used to spread cryptocurrency miners

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be an attempt to spread malware on victims' machines.

Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads, according to a blog post by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.

Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.

Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.

"This is likely an attempt to make the exploit work on a broader variety of platforms," said researchers.

Researchers also saw a second hacker exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. "The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners," said researchers.

A third hacker was observed to download a file named "LinuxT" from an HTTP file server using exploits targeting CVE-2014-3120. hosts that attempted to download the "LinuxT" sample also dropped payloads that executed the command "echo 'qq952135763.'"

"This behaviour has been seen in elastic search error logs going back several years," said researchers.

Honeypots set up by researchers also detected additional hosts exploiting Elasticsearch to drop payloads that execute both "echo 'qq952135763'" and "echo '952135763,'" suggesting that the attacks are related to the same QQ account.

"However, none of the IPs associated with these attacks have been observed attempting to download the "LinuxT" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one," said researchers.

Researchers said that these Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. "Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe," warned researchers.

Organisations using Elasticsearch are urged to patch and upgrade to a newer version of Elasticsearch if at all possible.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023