{"id":37981,"date":"2019-02-27T12:23:41","date_gmt":"2019-02-27T12:23:41","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=81eea316fb977703fe35028891044746"},"modified":"2019-02-27T12:23:41","modified_gmt":"2019-02-27T12:23:41","slug":"hackers-target-elasticsearch-clusters-in-fresh-malware-campaign","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/hackers-target-elasticsearch-clusters-in-fresh-malware-campaign\/","title":{"rendered":"Hackers target Elasticsearch clusters in fresh malware campaign"},"content":{"rendered":"


\n Rene Millman<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
27 Feb, 2019<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be attempts to place malware on victims\u2019 machines.<\/p>\n

Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker’s payloads, according to a\u00a0blog post<\/a>\u00a0by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.<\/p>\n

Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.<\/p>\n

Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.<\/p>\n

<\/p>\n

\n\u201cThis is likely an attempt to make the exploit work on a broader variety of platforms,\u201d said researchers.<\/p>\n

Researchers also saw a second hacker exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. \u201cThe reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners,\u201d said researchers.<\/p>\n

A third hacker was observed to download a file named “LinuxT” from an HTTP file server using exploits targeting CVE-2014-3120. hosts that attempted to download the “LinuxT” sample also dropped payloads that executed the command “echo ‘qq952135763.'”<\/p>\n

\u201cThis behaviour has been seen in elastic search error logs going back several years,\u201d said researchers.<\/p>\n

Honeypots set up by researchers also detected additional hosts exploiting Elasticsearch to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763,’” suggesting that the attacks are related to the same QQ account.<\/p>\n

\u201cHowever, none of the IPs associated with these attacks have been observed attempting to download the “LinuxT” payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one,\u201d said researchers.<\/p>\n

Researchers said that these Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. \u201cGiven the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe,\u201d warned researchers.<\/p>\n

Organisations using Elasticsearch are urged to patch and upgrade to a newer version of Elasticsearch if at all possible. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Rene Millman<\/p>\n

27 Feb, 2019 <\/p>\n

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be attempts to place malware on victims\u2019 machines.
\nAtt…<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-37981","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=37981"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37981\/revisions"}],"predecessor-version":[{"id":37982,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37981\/revisions\/37982"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=37981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=37981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=37981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}