Security experts from Cisco Talos have spotted a spike in cyberattacks targeting unsecured Elasticsearch clusters running on older versions
1.4.2 and lower.
Talos warned that attackers are exploiting older vulnerabilities “to pass scripts to search queries and drop the attacker’s payloads.”
Hackers then use the scripts to drop malware and cryptocurrency miners on their victim’s systems.
Talos described the threat in recent blog post on Tuesday:
“Through ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots.”
Some of the common payloads used by the attackers involve the use of bash scripts to disable security software and kill off other malicious processes (such as other miners).
The research also found the bad actors exploited CVE-2014-3120 in order to deliver a payload that is a derivative of the Bill Gates distributed denial-of-service malware.
Another of the actors targeted the same CVE-2014-3120 to download a malicious file named “LinuxT” from an HTTP file server.
Talos urges administrators to upgrade Elasticsearch if they haven’t already to latest version.
“Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe,” Talos added.