Skip to main content

New malware attack turns Elasticsearch databases into DDoS botnet


The malware attack involves two stages including one in which existing cryptomining malware is removed.

The IT security researchers at Trend Micro have discovered a new malware campaign targeting Elasticsearch databases in the wild.
The campaign takes advantage of unprotected or publicly available Elasticsearch databases, infect them with malware before turning them into botnet zombies to carry out distributed-denial-of-service (DDoS) attacks.
According to researchers, the malware used in the attack is Setag backdoor originally discovered in 2017. Setag is equipped with capabilities like launching DDoS attacks and stealing system information.
Further analysis into the binaries unveiled presence of BillGates malware as well. BillGates malware surfaced back in 2014 bearing the same capabilities as Setag including launching DDoS attacks and compromising the targeted device.
New malware attack turns Elasticsearch databases into DDoS botnet
Attack’s workflow (Image: Trend Micro)
The malware attacks in two stages. In the first stage of the attack, the malware runs script s67.sh to shut down the firewall and define which shell should be used. In the second stage of the attack, the malware deletes some files including various configuration files from the /tmp directory and existing cryprominers installed by other threat actors – All this to run its own operation.

 “The ways that the scripts are retrieved are notable,” researchers said in their blog post. “Using expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected.”
It is worth noting that threat actors are using compromised websites to drop their payload. Trend Micro researchers fear that abusing compromised websites may also let them evade detection of websites especially those developed by the attackers. These capabilities of the malware are a “red flag.”
“The cybercriminals or threat actors behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks.”
Remember, ElasticSearch servers have a history with malware. In September 2017, Bob Diachenko, a security researcher identified over 4,000 ElasticSearch servers hosting PoS malware. In total Bob identified over 15,000 servers on ElasticSearch that did not possess any authentication and password protection.

Any business using Elasticsearch should watch out for the new attack. Elasticsearch has already issued a patch to fix the vulnerability exploited by this attack, therefore, implement the patch and secure yourself from becoming the next victim.

Comments

Post a Comment

Popular posts from this blog

List Of Sql Infected Sites-HACKEREAD

SQL injection  is a  code injection  technique, used to  attack  data-driven applications, in which malicious  SQL  statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  SQL injection must exploit a  security vulnerability  in an application's software, for example, when user input is either incorrectly filtered for  string literal   escape characters  embedded in SQL statements or user input is not  strongly typed  and unexpectedly executed. SQL injection is mostly known as an attack  vector  for websites but can be used to attack any type of SQL database. List of SQL Infected sites:  http://www.genhound.co.uk/source.php?id=477 http://www.lcoastpress.com/journal.php?id=8 http://www.travellers-tales.co.uk/travelJournal.php?id=42 http://www.arrowvalves.co.uk/content.php?id=8 http://www.reaplasrack.co.uk/content.php?id=129 http://www.arrowval...
Post a Comment
Read more

Google dork list for XSS (Cross- site scripting)-2020

GOOGLE DORK LIST FOR Cross-site scripting -2020 Google Dorks  its also known as google query ,List “Google Hacking” is mainly referred to pull the sensitive information from Google using advanced search terms that help users to search the index of a specific website, specific file type and some interesting information from unsecured Websites. Google Dorks list  2020 can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. payment card data). Here you can see an example to understand how  Google Darks   password  used by hackers to gain sensitive information from specific websites. You can also use for Exploit DB site to give you according to you Search state. https://www.exploit-db.com/ “ inurl: domain/ ” “ additional dorks A hacker would simply use in the desired parameters as follows: inurl = the URL of a site you want...
Post a Comment
Read more

Popular Android Zombie game phish users to steal Gmail credentials

The app made its way to Google Play Store was also found phishing users for Facebook credentials. Scary Granny ZOMBY Mod: The Horror Game 2019 is the latest game on Google Play Store that is condemned by the digital security fraternity for sneakily stealing personal data from unsuspecting users. The game, which has been downloaded for over 50,000 times, was available for Android devices making Android users its primary target. The malicious app attempts to collect sensitive information such as Facebook and Gmail login credentials. The malicious activities of Scary Granny ZOMBY Mod were detected by the mobile security firm Wandera. The company found out that the app asks users to enter their Gmail or other Google account credentials, which are then used for collecting private data of the user by hijacking the account –  All of this happens, unsurprisingly, without alerting the user. Gmail phishing page on the supposed gaming app (Screenshot: Wandera) Rese...
Post a Comment
Read more