New attack on Elasticsearch instances detected

IT administrators at companies whose staff use Elasticsearch for data searching and analytics are being warned to update to the latest version of the tool after the discovery of a backdoor attack that can steal data and turn an infected machine into botnets for distributed denial of service (DDoS) attacks.

An open-source tool, Elasticsearch can be vulnerable when employees use older versions or leave search/analytic results unprotected. Attackers often look for these vulnerable servers as an entry point into enterprises, usually to deposit cryptomining malware or ransomware.

However, in a blog today, Trend Micro said it has seen a new attack that downloads a different payload through a sophisticated system of expendable domains to help evade detection.

Once the attacker finds an exposed database or server and installs backdoor malware, a shell on the infected device downloads the first malicious script from an expendable or easy-to-replace domain. That script will attempt to shut down the firewall as well as any already-running cryptocurrency mining activities and other processes. A second-stage script is then retrieved, likely from a compromised website.

The use of expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected, says Trend Micro. Abusing compromised websites can also let them evade detection of websites specially developed by the attackers.

The malware samples seen by Trend Micro look similar to what has been called the BillGates malware, first seem in 2014 and known for being used to hijack systems and initiate DDoS attacks or be involved in botnets.

The inclusion of detection evasion and multi-stage execution techniques “is a red flag,” says Trend Micro. It could mean attackers are testing their hacking tools or readying their infrastructure before mounting actual attacks.

“This attack highlights the importance of properly securing digital assets, as the impact of an unsecure Elasticsearch server can have real-life repercussions,” the blog authors say.

Elastic has already released a patch for the vulnerability this attack exploits, as well as guidelines on how to secure, properly configure, and enable its security features. Additional security mechanisms like data categorization, network segmentation, and intrusion prevention systems will help reduce further exposure to malware and breaches.



Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now