Hackers target Elasticsearch clusters in fresh malware campaign


Rene Millman

27 Feb, 2019

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be attempts to place malware on victims’ machines.

Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker’s payloads, according to a blog post by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.

Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.

Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.

“This is likely an attempt to make the exploit work on a broader variety of platforms,” said researchers.

Researchers also saw a second hacker exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. “The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners,” said researchers.

A third hacker was observed to download a file named “LinuxT” from an HTTP file server using exploits targeting CVE-2014-3120. hosts that attempted to download the “LinuxT” sample also dropped payloads that executed the command “echo ‘qq952135763.'”

“This behaviour has been seen in elastic search error logs going back several years,” said researchers.

Honeypots set up by researchers also detected additional hosts exploiting Elasticsearch to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763,’” suggesting that the attacks are related to the same QQ account.

“However, none of the IPs associated with these attacks have been observed attempting to download the “LinuxT” payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one,” said researchers.

Researchers said that these Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. “Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe,” warned researchers.

Organisations using Elasticsearch are urged to patch and upgrade to a newer version of Elasticsearch if at all possible.