Over 4,000 Elasticsearch servers were found hosting PoS (Point of Sale) malware strains. The infections detected date as far back as 2016, with the latest infections observed as recently as August 2017. Nearly 99% of the infected servers are hosted in Amazon Web Services (AWS), according to security experts.
The two malware strains — AlinaPOS and JackPOS — are very popular among cybercriminals and have been around since 2012. However, Kromtech security researchers, who uncovered the two malware strains hosted on Elasticsearch servers, also discovered that the two strains are now up for sale on dark web hacking forums and are being actively distributed, despite having been initially released several years ago.
"The absence of authentication on some Elasticsearch servers allowed attackers to take full administrative control on the exposed instance. This opened a range of possibilities for them - starting from the hidden use of resources and remote code execution to complete destruction of previously saved data," Kromtech researcher Bob Diachenko wrote in a blog. "Why Amazon? Because on Amazon Web Services you can get a free t2 micro (EC2) instance with up to 10 GB of disk space. At the same time t2 micro allows to set up only versions ES 1.5.2 and 2.3.2."
Over 15,000 Elasticsearch servers were uncovered by Kromtech security researchers, which came with no authentication and password protections. Of the 15,000 servers, hackers had hidden PoS malware strains' command and control (C&C) servers in over 4,000.
"The main reason for malicious actors to use ES servers is that (if open) their configuration allows not only read but write/install external files without additional confirmation. ES interface (Kibana) does not see these files," Diachenko told IBTimes UK. "It's highly effective because even if one or several infected servers shut down, the rest will work as usual and stolen cc data will be processed through other ways."
"Every infected ES Server became a part of a bigger POS Botnet with Command and Control (C&C) functionality for POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines," Diachenko added.
Diachenko told Bleeping Computer that Kromtech has reached out to "affected companies" and also attempted to get in touch with Amazon.
"According to our research, traces of malware have been noticed; there are more than 4,000 affected systems, mostly located in the US area. One of the main updates made to Alina and Jack is that they are now automatically targeting/scanning for Elasticsearch Amazon instances with no authentication in place," Diachenko told us.
For those using Elasticsearch servers, Kromtech security researchers recommend that proper configuration of servers be conducted. Researchers also advise users to check log files, connections and traffic and close all ports not used. "Reinstall all compromised systems, otherwise, you need to clean up all suspicious processes, check your systems with antivirus and also monitor your system during next the three months for any anomaly connection," Diachenko wrote in his blog.
Earlier in the year, Elasticsearch servers were targeted by MongoDB hackers to distribute ransomware.
This article has been updated to include comments from Kromtech researcher Bob Diachenko and to include links provided by Elastic, the makers of Elasticsearch on how users can secure their servers.