Hackers target Elasticsearch to set up DDoS botnet on AWS
Vulnerability in search engine software exploited by criminals
Hackers are exploiting a vulnerability in search engine software to install DDoS malware in AWS. The bug could also affect other cloud providers.
The flaw targets Elasticsearch, which is a Java-based open source search engine technology. This allows developers to add full-text searches to applications for various types of documents through a REST API.
The technology has a distributed architecture that can run on multiple nodes and as such is commonly used in cloud environments such as AWS, Azure and Google Compute Cloud, among others.
However, researchers at Kaspersky Labs have found that cybercriminals have exploited a flaw in the software to install DDoS malware on various clouds.
The flaw was found in Elasticsearch v. 1.1x and a scripting exploit. The software has default support for active scripting, but does not use authentication and also does not sandbox the script code.
Criminals can use the flaw to hack into EC2 VMs and then use a use a new variant of Linux DDoS Trojan Mayday – Backdoor.Linux.Mayday.g – to launch their attack, according to Kaspersky Lab principal security researcher Kurt Baumgartner.
“The [Mayday variants] in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations IP addresses to those of an anti-DDoS solution,” he said in a blog post.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers,” he added.
Baumgartner said “compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and misused.”
He added that the list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, “indicating the perpetrators are likely your standard financially driven cybercrime ilk”.
In a statement, Amazon said that it notified customers of "potential security concerns" about Elasticsearch on 29 May 2014.
“Elasticsearch is not a software offering specific to AWS, and therefore presents a security concern for any service provider with customers that choose to use Elasticsearch in a manner inconsistent with security best practices,” the firm said.
It urged users of Elasticsearch 1.1x customers to upgrade to the latest versions as soon as possible. More information on Elasticsearch can be found here.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.