Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Two point of sale (POS) malware families have been abusing thousands of publicly accessible ElasticSearch nodes for command and control (C&C) purposes, Kromtech security researchers warn.

Two point of sale (POS) malware families have been abusing thousands of publicly accessible ElasticSearch nodes for command and control (C&C) purposes, Kromtech security researchers warn.

Malicious files discovered on the ElasticSearch deployments referenced to the AlinaPOS and JackPOS malware families, which are well known for their wide use in credit card data theft campaigns. Both threats have been designed to scrape credit card data from computer memory.

Both JackPOS and AlinaPOS have been around for several years and have seen numerous variants to date, each employing different techniques to steal credit card data. Already widespread, POS malware is active year-round, but usually shows spikes in activity during the holiday shopping season.

According to Kromtech, Alina is now available for sale online and some of its variants are enjoying low detection rates by popular anti-virus engines (tested with VirusTotal). Even relatively old C&C servers hosting sites can’t be used reliably for detection, they say.

Contributing to this situation was the fact that many ElasticSearch servers aren’t properly configured, thus allowing attackers to abuse them for their nefarious purposes. In this instance, infected servers were used as part of a larger POS botnet purposed for C&C functionality, controlling POS malware clients.

This isn’t the first time ElasticSearch nodes made the news after falling to miscreants. In January this year, after tens of thousands of MongoDB databases were ransacked, hackers turned to ElasticSearch servers, deleted data on them, and demanded various ransom amounts, claiming they can restore the wiped information.

A new wave of ransomware attacks on improperly secured MongoDB deployments was observed a couple of weeks back, prompting the company to implement new security measures. Cybercriminals targeting insecure ElasticSearch servers, however, appear to have had other plans for them.

After performing a Shodan search, Kromtech discovered nearly 4000 infected ElasticSearch servers, most of which (about 99%) are hosted on Amazon.

Advertisement. Scroll to continue reading.

“Why Amazon? Because on Amazon Web Services you can get a free t2 micro (EC2) instance with up to 10 Gb of disk space. At the same time t2 micro allows to set up only versions ES 1.5.2 and 2.3.2. AWS-hosted ES service gives you a possibility to configure your ES cluster just in few clicks,” the researchers note.

This also means that many of those who configured the servers didn’t pay much attention to the security configuration steps during the quick installation process. Because of that, the servers remained exposed to attackers, and Kromtech discovered that multiple actors hit them, the same as it happened during the ransomware campaign in the beginning of the year.

Because the insecure ElasticSearch servers were infected multiple times, the discovered packages could be traced to different POS botnets. Due to periodic scans, time of infection could differ between servers, even if the same package is involved. The most recent infections occurred at the end of August 2017.

The security researchers also discovered that 52% of infected servers run ElasticSearch version 1.5.2, while 47% run version 2.3.2. The remaining 1% run other software versions.

Related: Elasticsearch Servers Latest Target of Ransom Attacks

Related: PoS Malware Activity Spiked on Thanksgiving: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.