Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Elasticsearch Clusters Under Attack From Multiple Hacking Groups

Cisco Talos’ security researchers warn of a spike in attacks on unsecured Elasticsearch clusters, coming from six distinct actors.

Cisco Talos’ security researchers warn of a spike in attacks on unsecured Elasticsearch clusters, coming from six distinct actors.

The assaults attempt to exploit vulnerabilities in older versions (1.4.2 and lower) and leverage scripts to drop both malware and crypto-currency miners on victim machines. The attackers attempt to exploit CVE-2014-3120 and CVE-2015-1427, old vulnerabilities that allow them to pass scripts to search queries.

The most active of the actors attempts to deploy two distinct payloads with the initial exploit, always using CVE-2015-1427, Talos reveals. Using different methods, both payloads download the same bash script, likely to ensure the exploit works on a broader range of platforms. 

The bash script attempts to disable security protections and kill other malicious processes that might be running on the host, primarily other mining malware, and then place its RSA key in the authorized_keys file. The script achieves persistence and can be used to download miners and their configuration files.

The script also downloads a UPX-packed ELF executable that contains exploits targeting vulnerabilities in other systems for remote code execution: CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are usually served via HTTPS.

A second actor attempts to exploit CVE-2014-3120 to deliver a Bill Gates-derivative distributed denial-of-service malware. 

A third actor exploits the same vulnerability to download a file named “LinuxT” from an HTTP file server, but the file is no longer hosted on the server. The researchers say this is likely a variant of the Spike Trojan targeting x86, MIPS and ARM architectures.

In some cases, hosts attempting to download LinuxT were also observed dropping payloads that execute the command “echo ‘qq952135763’,” this appears to be referencing to an account on QQ, a popular Chinese social media website. 

Talos couldn’t link the account to the activity, although they did tie it to the potential attacker’s Gitee page (a Chinese code-sharing website similar to Github or Atlassian), to an account on Chinese hacking forum xiaoqi7, and to posts on topics related to exploits and malware on other forums. 

Other attacks attempted to exploit CVE-2015-1427 to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763’,” but they did not attempt to also download “LinuxT.” 

Three other actors observed targeting Elasticsearch did not deliver any malware through their exploits. 

“Given the size and sensitivity of the data sets these [Elasticsearch] clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases,” Talos concludes.

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Related: POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...