Nearly 4,000 Malware-Riddled Elasticsearch Servers Found on AWS

Researchers have discovered almost 4,000 Elasticsearch servers hosted on the Amazon Web Services (AWS) cloud are infected with malware that targets point-of-sale (PoS) systems.

That finding comes from a report released this week by researchers at Kromtech Security Center, which provides security, backup and analytics solutions for Macs. On Tuesday, Kromtech reported the discovery of over 15,000 instances of Elasticsearch, an open source search and analytics engine, had been left exposed to the public.

About 4,000 of those exposed instances were found to be infected by at least one of two types of PoS malware, "JackPOS" and "AlinaPOS," which work by infecting PoS devices and scraping customers' credit card information. JackPOS and AlinaPOS first began cropping up in 2012, but there is evidence that they are still available for sale among hacking circles like VX Heaven, as well as spinning off new strains that are difficult to detect using many anti-virus scanners.

According to Kromtech Chief Communications Officer Bob Diachenko, leaving the Elasticsearch instances open to the public enabled cyber criminals to install the PoS malware unimpeded. "The lack of authentication allowed the installation of malware on the ElasticSearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server's resources and even launch a code execution to steal or completely destroy any saved data the server contains," he wrote.

The vast majority of those 4,000 exposed servers -- 99 percent, by Kromtech's estimate -- are stored on AWS, which Kromtech attributed to customers taking advantage of AWS' free usage tier for its t2.micro compute instances. This free usage offer supports only Elasticsearch versions 1.5.2 (which reached its end of life just over a year ago, according to this Elasticsearch support page) and 2.3.2 (which is slated to lose support at the end of this month).

Unsurprisingly, those two versions represented the bulk of the infected Elasticsearch instances; version 1.5.2 accounted for 52 percent, while version 2.3.2 accounted for 47 percent.

In addition, Diachenko theorized that AWS' setup process may not have pressed the security issue enough for users configuring their Elasticsearch instances. "The Amazon hosting platform gives users the possibility to configure the ElasticSearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data," he wrote.

Not only were these exposed Elasticsearch instances infected with the PoS malware, but, Diachenko said, "every infected ES [Elasticsearch] Server became a part of a bigger POS Botnet with Command and Control (C&C) functionality for POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines."

The latest infections took place as recently as the end of August, Kromtech reported. The company recommends that administrators lock down access to their infrastructure to allow only trusted IPs, to make sure that their Elasticsearch patches are up to date, and to reinstall any systems that they suspect have been compromised.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


Subscribe on YouTube