Security researchers have recently detected an increased number of attacks against Elasticsearch clusters running older versions with known vulnerabilities. At least six different groups of attackers are searching for and exploiting insecure deployments to abuse servers.
Elasticsearch is a distributed search engine platform written in Java designed for processing large data sets. It is commonly used in companies and organizations that work with big data.
“Through ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters,” researchers from Cisco’s Talos group said in a report this week. “These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries.”
Attackers use the Elasticsearch exploit for multiple purposes
The exploits affect Elasticsearch 1.4.2 and lower, and the malicious scripts deliver different payloads depending on the actor using them. One group appears to consistently install cryptocurrency mining programs, but also downloads an additional payload with exploits for vulnerabilities in other technologies including CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons.
“The [additional] exploits are sent, typically via HTTPS, to the targeted systems,” the researchers said. “As evidenced by each of these exploits, the attacker’s goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary.”
The rogue bash scripts do more than deliver exploits, though. They disable security protections, kill competing malicious processes and add the attackers’ SSH key to the authorized_keys list so they get continued remote access.
Another group of hackers that target Elasticsearch clusters using the CVE-2014-3120 exploit to deploy a malicious program designed to launch distributed denial-of-service (DDoS) attacks. This malware …