Cisco's security limb has spotted nefarious people targeting Elasticsearch clusters using relatively ancient vulns to plant malware, cryptocurrency miners and worse – though it does root out some other cybercrims’ dodgy wares, cuckoo-style.
"These attackers are targeting clusters using versions 1.4.2 and lower," said the networking giant's infosec arm, Talos, in a post summarising what its honeypot setup had caught for examination.
The seemingly China-based attackers used two known vulnerabilities in Elasticsearch – listed as CVEs in 2014 and 2015 respectively – to pass scripts to search queries, Talos said, allowing them further access to the old machines to drop a payload of their choice. Elasticsearch version 1.4.2 was first released in December 2014.
"These attacks leverage CVE-2014-3120 and CVE-2015-1427" said the security research outfit. The 2014 vuln lets attackers execute arbitrary MVEL expressions and Java code, while the 2015 flaw, which is specific to Elasticsearch's Groovy scripting engine "allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script".
The infosec unit continued: "The first payload invokes
wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file.”
The nasties seen by Talos achieve persistence by installing shell scripts as cron jobs.
Cisco Talos' Martin Lee told The Register: "In terms of the payloads we've been able to characterise, we've seen denial of service attack payloads, compromised systems being routed into a DoS or a botnet being used for DoS. We also see cryptomining."
He added that some of the payloads Cisco had seen on its honeypot Elasticsearch boxen were "being used as a point of ingress into an environment to then look for other machines which can subsequently be compromised," and that Talos had seen "six separate threat actors" exploiting the vulnerabilities.
Although businesses should not be running software suites that are five years out of date, Lee pointed out that organisations ought to make themselves more aware of "older unpatched machines in an environment which are faithfully doing what they're supposed to do and nobody wants to alter them that much".
While Talos stopped short of explicitly attributing the observed attacks to a China-based person or persons, its blog post goes into more detail about the QQ Chinese social network account, whose numeric handle was seen in a command executed by one of the payloads, concluding:
"We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions." ®