Connect with us

Hi, what are you looking for?


Network Security

Attackers Turn Elasticsearch Databases Into DDoS Bots

A recently detected attack campaign is attempting to ensnare Elasticsearch clusters into a distributed denial of service (DDoS) botnet, Trend Micro reports. 

The multi-stage attacks leverage scripts to ultimately deliver backdoors to the targeted servers and turn them into DDoS bots. 

A recently detected attack campaign is attempting to ensnare Elasticsearch clusters into a distributed denial of service (DDoS) botnet, Trend Micro reports. 

The multi-stage attacks leverage scripts to ultimately deliver backdoors to the targeted servers and turn them into DDoS bots. 

As part of the attack, the threat actor searches for exposed or publicly accessible Elasticsearch databases/servers. A shell is invoked with an attacker-crafted search query with encoded Java commands and then the first malicious script is downloaded. 

The first-stage script attempts to shut down the firewall and any competing cryptocurrency mining programs already running on the target server. Next, a second-stage script is retrieved, likely from a compromised website.

The actor behind these attacks is believed to be using expendable domains to quickly swap URLs when they are detected. By abusing compromised websites, the attackers can evade detection, Trend Micro says.

The URL observed in the analyzed attack was meant to exploit CVE-2015-1427, an old vulnerability in the Groovy scripting engine of Elasticsearch (versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2).

The second-stage script has functions similar to those of the first, as it too attempts to stop the firewall. It also removes certain files, likely associated with competing malware, along with various configuration files from the /tmp directory. 

Next, it kills other crypto-currency mining activities and unwanted processes from the system, and attempts to remove traces of initial infection, in addition to killing processes running on certain TCP ports. The script also downloads the actual malware binary. 

Advertisement. Scroll to continue reading.

The final payload is a backdoor capable of stealing system information and launching DDoS attacks. The threat was previously observed using an exploit for CVE-2017-5638, a remote-code-execution vulnerability in Apache Struts 2.

The observed samples are similar to the BillGates malware, which was first spotted in 2014, and which is known for hijacking systems and launching DDoS attacks. 

“Of late, we’ve seen variants of the BillGates malware involved in botnet-related activities,” Trend Micro notes. 

Early this year, Cisco’s Talos security researchers revealed that multiple groups were targeting unsecured Elasticsearch clusters, and that one of them was attempting to infect the servers with a piece of malware derived from BillGates. 

The assaults on Elasticsearch servers are relatively straightforward and profit-driven, Trend Micro says. The miscreants seek unsecure or misconfigured servers or exploit old vulnerabilities to drop a payload that usually consists of cryptocurrency-mining malware or even ransomware.

“Hence, an attack that takes precautions to evade detection and uses multistage execution techniques is a red flag. That the cybercriminals or threat actors behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks,” Trend Micro concludes. 

Related: Elasticsearch Clusters Under Attack From Multiple Hacking Groups

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...