The hackers are attacking available on the Internet Elasticsearch clusters with the goal of turning them into DDoS botnets.
In multi-stage attacks, attackers used scripts to place a backdoor that could steal information and carry out DDoS attacks.“The latest attack we spotted deviates from the usual profit-driven motive by delivering backdoors as its payload. These threats can turn affected targets into botnet zombies used in distributed-denial-of-service (DDoS) attacks”, — Trend Micro reports says.
Having found vulnerable servers, attackers downloaded a malicious script of the first stage, which disables the firewall and crypto miners detected on the target server. Next, on a second stage script with similar functionality was uploaded to the server. It could also disable the firewall and delete certain files, including various configuration files and competitor malware files, if they were present on the system.
Read also: Godlua became the first threat in history of information security that abuses the DoH protocol
Then it turned off crypto-mining processes and other unwanted processes on the system, and loaded the backdoor. Both scripts were downloaded from compromised websites in order to avoid detection.
“The samples bear the hallmarks of the BillGates malware, first encountered in 2014 and known for being used to compromise systems and initiate DDoS attacks. Of late, we’ve seen variants of the BillGates malware involved in botnet-related activities”, — Trend Micro specialists reported.
Previously, this malware appeared in attacks that exploit the remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638).
As part of the attacks, the hackers exploited the vulnerability (CVE-2015-1427) in the Groovy engine included in Elasticsearch (version 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2).