Unsecured Elasticsearch servers turned into PoS malware C&Cs
Security researchers have discovered over 4,000 Elasticsearch servers compromised to distribute and control PoS malware. 99 percent of them are hosted by Amazon.
What is Elasticsearch?
Elasticsearch is the most popular choice for enterprise search engines.
Based on the open source information retrieval software library Lucene, it is itself open source, and it provides a full-text search engine with an HTTP web interface and JSON documents.
A number of organizations, including Amazon Web Services (AWS), offer Elasticsearch as a managed service (they take care of hosting, deployment, backup, support, etc.).
Why are compromised Elasticsearch servers mostly AWS-hosted?
A Shodan search revealed some 15,000 Elasticsearch instances exposed on the Internet, and of these 27 percent were found hosting files that indicate they’ve been compromised to serve as C&C infrastructure for the AlinaPOS and JackPOS malware families.
But 99 percent of the 4,067 infected ES servers are hosted by Amazon Web Services, and there’s an explanation for that.
“Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10GB of disk space. These T2 instances are designed for operations that don’t use the full CPU for general purpose workloads, such as web servers, developer environments, and small databases. The problem is that on the T2 micro, you can set only versions 1.5.2 and 2.3.2,” Kromtech Security’s Bob Diachenko explained.
“The Amazon hosting platform gives users the possibility to configure the Elasticsearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.”
“The lack of authentication allowed the installation of malware on the Elasticsearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server’s resources and even launch a code execution to steal or completely destroy any saved data the server contains,” he added.
These compromises have been going on for a while, and the most recent infections date back to the end of August 2017. Also, many of the servers have been infected multiple times.
What now?
Elasticsearch server owners would do well to check whether their servers have been compromised.
They should search for these telling files and file structures:
Diachenko advises them to check their log files, connections and traffic, make a backup of running systems, and reinstall all compromised systems. “Install latest Elastic patch or completely reinstall it, and close all non-used ports from external access, or white-list only trusted IPs,” he concluded.
For more advice about ES security, here’s a handy guide by Elastic, the company developing the search engine.