Targeted malware attacks against Elasticsearch servers surge

Old vulnerabilities are proving to be successful.
Written by Charlie Osborne, Contributing Writer

Unsecured Elasticsearch clusters are being targeted in a fresh wave of attacks designed to drop both malware and cryptocurrency mining software.

This week, cybersecurity researchers from Cisco Talos warned of a spike in recent strikes against these systems, with six separate cyberattack groups believed to be involved.

In particular, Elasticsearch servers using software versions 1.4.2 and lower are being targeted.

According to Cisco Talos, it is not new or zero-day bugs which are being exploited in order to compromise servers. Rather, old vulnerabilities in unpatched software are providing the avenue for successful attacks.

The old vulnerabilities which have appeared most often in recent Elasticsearch attacks are CVE-2014-3120 and CVE-2015-1427, an error in default configurations of Elasticsearch before 1.2 which permits the execution of arbitrary MVEL expressions and a scripting engine issue in Elasticsearch before 1.4.3 which allows for the execution of arbitrary shell commands.

See also: Coinhive cryptojacking service to shut down in March 2019

After analysis made through honeypot setups, the researchers found that these old bugs are being used to pass scripts to search queries and deploy malicious payloads. Both vulnerabilities can be exploited to download bash scripts via invoking wget.

"The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file," the researchers say. "Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs."

The bash script also contains an executable which can be unpacked to deploy other vulnerabilities and payloads. Some are of particular interest, including CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons, all of which can be leveraged to remotely execute code.

In addition, other attack vectors being used in the latest assault include the exploit of CVE-2014-3120 to deploy denial-of-service (DoS) malware and to download a file named "LinuxT" which is believed to be a variant of the Spike Trojan -- also known as Mr Black -- for use on x86, MIPS and ARM architectures.

TechRepublic: Why businesses fear cyberattacks from ex-employees more than nation states

Social media accounts have also been identified which may be connected to the drop of the LinuxT payload and a link to Chinese attackers has been suggested.

"Given the size and sensitivity of the data sets these clusters to contain the impact of a breach of this nature could be severe," Cisco Talos says. 

The researchers also suggest that upgrading builds and disabling the ability to send scripts in Elasticsearch, when possible, should be implemented in server setups.

CNET: US reportedly took Russian trolls offline on Election Day in 2018

In November, an ElasticSearch server was left exposed on the Internet for close to two weeks which contained personally identifiable information (PII) of almost 57 million US citizens.

Over 73GB of data was contained within several databases on the server and included information such as names, email and home addresses, phone numbers, and IPs. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards