Kromtech Security Center Discovers Massive Elasticsearch Infected Malware BotnetBack to blog
One of our recent researches was focused on the publicly accessible Elasticsearch (ES) nodes and we discovered suspicious indices names that did not have any relations to Elasticsearch file structure.
Among the many “red flags” some of the file names referenced to AlinaPOS and JackPOS malware. These are the type of POS (Point-of-Sale) malware that attempts to scrape credit card details using a range of different techniques. As an example of how this malware is so effective, JackPOS attempts to trick the system that it is java or a java utility. It can copy itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and can even encode the stolen credit card data to go undetected as it is extracted. This malware first became widespread in 2012, but it is still effective today and available for sale online.
In 2014 the family tree looked as follows:
Today the picture is much worse and much more widespread.
Despite some security warnings and industry related news, It appears POS malware has been out of the headlines for a while, but the danger is still there for millions of cardholders. Kromtech researchers started looking for any updates about that specific type of malware and the status of files being distributed on unsuspecting servers. What surprised researchers is that there are new and updated versions of the malware that are currently for sale to anyone.
At Cybercrime tracker https://cybercrime-tracker.net/index.php?search=alina we've seen new samples of this malware types and low detection rate by most popular AntiVirus engine (tested with VirusTotal).
Even for the relatively old C&C servers hosting sites (Command and Control servers), there is not enough information to flag the real risks. The VirusTotal URL Scanner indicated that only 6 of the antivirus engines and website scanners out of the 65 available were able to identify the new versions of the POS Malware.
Why did it happen?
The lack of authentication allowed the installation of malware on the Elasticsearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server’s resources and even launch a code execution to steal or completely destroy any saved data the server contains.
In our case, a bunch of AWS hosted Elasticsearch instances was under attack for malicious use. Moreover, every infected ES Server became a part of a bigger POS Botnet with Command and Control (C&C) functionality for POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines.
Old C&C interface used by POS malware is displayed below (taken from http://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html)
We checked with Shodan (our commonly used IoT search engine which returns service banners with meta-data of the server) how many systems on the internet have similar signs of infection.
As of today, there are nearly 4000 infected Elasticsearch servers and about 99% of them are hosted on Amazon.
Why are nearly all of the Elasticsearch servers hosted by Amazon Web Services?
Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10 Gb of disk space. These T2 instances are designed for operations that don't use the full CPU for general purpose workloads, such as web servers, developer environments, and small databases. The problem is that on the T2 micro, you can set only versions 1.5.2 and 2.3.2.
The Amazon hosting platform gives users the possibility to configure the Elasticsearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.
Kromtech Security Researchers discovered similar file structures on Shodan.io for Elastic Search Services. Then they compared the modification time of suspicious files on these infected Elasticsearch Servers and made some logical conclusions:
There are different packages of C&C malware, i.e. servers were infected multiple times
Different packages can be related to different Botnets (because POS malware was seen selling not only on Darknet but on public domains as well)
There is a lot of servers infected, for the same packages on different servers the time of infection could be different due to periodical scans and Botnets network expansion
Nearly 99% of infected servers are hosted on Amazon Web Services
52% of infected servers run Elastic Search 1.5.2 version, 47% - 2.3.2 version, and 1% for other versions.
Recent infections were made at the end of August 2017
The following table represents Kromtech Security Center’s findings and the attack distribution of the infected AWS instances through vulnerabilities in the Elasticsearch Server and the Amazon security configuration:
Kromtech Security Centger highly recommend you to take following actions required for effective incident response:
Check your log files on all servers in your infrastructure
Check connections and traffic
Make a snapshot/backup of all running systems
Extract samples of malware and provide it to us for further analysis (firstname.lastname@example.org)
Reinstall all compromised systems, otherwise, you need to clean up all suspicious processes, check your systems with antivirus and also monitor you system during next 3 months for any anomaly connection
Install latest Elastic patch or completely reinstall it
Close all non-used ports from external access, or white-list only trusted IPs
Here are also some recommendations from Elastic Search site that need to be taken: https://www.elastic.co/products/x-pack/security
Vulnerability types in ELK
Infografics for infected ES Servers:
The following graph represents vulnerable versions of Elasticsearch Servers used by attackers to distribute and control malware through vulnerable or misconfigured Elasticsearch Servers:
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: email@example.com