IT administrators at companies whose staff use Elasticsearch for data searching and analytics are being warned to update to the latest version of the tool after the discovery of a backdoor attack that can steal data and turn an infected machine into botnets for distributed denial of service (DDoS) attacks.
An open-source tool, Elasticsearch can be vulnerable when employees use older versions or leave search/analytic results unprotected. Attackers often look for these vulnerable servers as an entry point into enterprises, usually to deposit cryptomining malware or ransomware.
However, in a blog today, Trend Micro said it has seen a new attack that downloads a different payload through a sophisticated system of expendable domains to help evade detection.
Once the attacker finds an exposed database or server and installs backdoor malware, a shell on the infected device downloads the first malicious script from an expendable or easy-to-replace domain. That script will attempt to shut down the firewall as well as any already-running cryptocurrency mining activities and other processes. A second-stage script is then retrieved, likely from a compromised website.
The use of expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected, says Trend Micro. Abusing compromised websites can also let them evade detection of websites specially developed by the attackers.
The malware samples seen by Trend Micro look similar to what has been called the BillGates malware, first seem in 2014 and known for being used to hijack systems and initiate DDoS attacks or be involved in botnets.
The inclusion of detection evasion and multi-stage execution techniques “is a red flag,” says Trend Micro. It could mean attackers are testing their hacking tools or readying their infrastructure before mounting actual attacks.
“This attack highlights the importance of properly securing digital assets, as the impact of an unsecure Elasticsearch server can have real-life repercussions,” the blog authors say.
Elastic has already released a patch for the vulnerability this attack exploits, as well as guidelines on how to secure, properly configure, and enable its security features. Additional security mechanisms like data categorization, network segmentation, and intrusion prevention systems will help reduce further exposure to malware and breaches.
