Shoddily-set-up Elastisearch hosting point-of-sale malware

Lazily-configured software has again created a security incident, this time resulting in 4,000 instances of open source analytics and search tool Elasticsearch inadvertently running PoS-stealing malware.

Kromtech's Bob Diachenko writes those servers are just 27 per cent of a total of 15,000 ill-secured Elasticsearch nodes the company found, and 99 per cent of the infected servers are hosted at AWS.

This one's caused by people clicking through the hard parts of Elasticsearch configuration, Kromtech explains, usually when taking up AWS' offer of a free AWS T2 micro instance as part of its Elastic Compute Cloud offering. That offer is limited to Elastisearch versions 1.5.2 or 2.3.2, and and Diachenko says “people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.”

The company found command-and-control servers for Alina and JackPoS point-of-sale malware running on the compromised hosts:

Every infected Elasticsearch Server became a part of a bigger POS Botnet with Command and Control (C&C) functionality for POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines.

That lack of security also means the malware scum have full administrative privilege on the compromised systems: “Once the malware is in place criminals could remotely access the server’s resources and even … steal or completely destroy any saved data the server contains.”

The most recent round of infections happened in August, the post states. Sysadmins need to check their Elasticsearch instances, patch and/or reinstall as required, lock down their external Internet ports, and if they find malware, send a sample to Kromtech. ®