Multiple threat actors are targeting Elasticsearch Clusters

Security researchers at Cisco Talos are warning of a spike in attacks on unsecured Elasticsearch clusters to drop cryptocurrency miners.

Cisco Talos experts have reported a spike in the attacks that
leverage known flaws to compromise unsecured Elasticsearch clusters and use them to mine crypto-currencies.

At least six different threat actors are targeting installs running older versions (1.4.2 and lower) to compromise them and install the malicious code the exploit the CVE-2014-3120 and CVE-2015-1427 vulnerabilities.

“Through ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries.” reads the analysis published by Talos.

“Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots.”

The most active of the threat actors involved in the wave of attacks attempts to deploy two distinct payloads with the initial exploit for the CVE-2015-1427 flaw. According to Talos, both payloads downloads the same bash script, the first one uses the wget to download the script, while the second one leverages obfuscated Java to invoke bash and download the same bash script with wget. Attackers are likely attempting to make the exploit work on a broader variety of platforms.
 The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms.

The bash script is used to disable security protections and kill other malicious processes, primarily other cryptominers. Then the script places its RSA key in the authorized_keys file. The script achieves persistence by installing shell scripts as cron jobs, it can be also used to download additional miners.

Experts also discovered that the bash script also downloads a UPX-packed ELF executable that contains exploits to target other systems such as Drupal and Oracler Weblogic. Experts observed working exploits for the CVE-2018-7600 in Drupal (aka Drupalgeddon2) and the CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons.

The experts observed a second threat actor using the exploit for the CVE-2014-3120 to deliver a malicious code that is a derivative of the Bill Gates DDoS malware.

Another group of attackers exploits the same flaw to download a file named “LinuxT” from an HTTP file server that is a variant of the Spike Trojan targeting x86, MIPS and ARM architectures.

“As part of our research, we observed that, in some cases, hosts that attempted to download the “LinuxT” sample also dropped payloads that executed the command “echo ‘qq952135763.'” This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account.” continues the experts.

The same QQ account is likely associated with other attacks that attempt to exploit the CVE-2015-1427 to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763’,” but they did not attempt to also download “LinuxT.”

Three other actors are also targeting Elasticsearch but they are not attempting to deliver any malware.

“Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe.” Talos concludes.

“Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Elasticsearch, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]