Cisco Talos experts have reported a spike in the attacks that
leverage known flaws to compromise unsecured Elasticsearch clusters and use them to mine crypto-currencies.
At least six different threat actors are targeting installs running older versions (1.4.2 and lower) to compromise them and install the malicious code the exploit the CVE-2014-3120 and CVE-2015-1427 vulnerabilities.
“Through ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries.” reads the analysis published by Talos.
“Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots.”
The most active of the threat actors involved in the wave of attacks
The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with
The bash script is used to disable security protections and kill other malicious processes, primarily other
Experts also discovered that the bash script also downloads a UPX-packed ELF executable that contains exploits to target other systems such as Drupal and
The experts observed a second threat actor using the exploit for the CVE-2014-3120 to deliver a malicious code that is a derivative of the Bill Gates DDoS malware.
Another group of attackers exploits the same flaw to download a file named “
“As part of our research, we observed that, in some cases, hosts that attempted to download the “
The same QQ account is likely associated with other attacks that attempt to exploit the CVE-2015-1427 to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763’,” but they did not attempt to also download “LinuxT.”
Three other actors are also targeting Elasticsearch but they are not attempting to deliver any malware.
“Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be
“Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases,”
(SecurityAffairs – Elasticsearch, hacking)