Trove of infected Elasticsearch nodes uncovered


Once again, thousands of misconfigured Elasticsearch servers have placed the internet at risk. The vast majority of the poorly secured servers were hosted on Amazon Web Services. Attackers enlisted 4,000 of those servers into a powerful Point-Of-Sale (PoS) botnet.

The security firm Kromtech Alliance, which found the unsecured servers, says that they were researching Elasticsearch servers that were not properly authenticated and publicly accessible. When they found the poorly configured instances, 15,000 of those in total, they recognized that 27 percent (the 4,000) were infected with the AlinaPOS and JackPOS malware. Both of these malware applications are used to infect PoS systems and steal credit card data in real time.

Organizations use Elasticsearch as a search engine for large data pools.

“The lack of authentication allowed the installation of malware on the ElasticSearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server’s resources and even launch a code execution to steal or completely destroy any saved data the server contains,” the Kromtech Alliance researchers wrote in a post from earlier this week.

Unfortunately, poorly secured Elasticsearch servers are an increasingly common problem. Earlier this year attackers began pillaging open Elasticsearch clusters on AWS, MongoDB, and Hadoop systems.

In those instances, attackers did everything from try to extort ransom from users, to destroying all the data they could find on vulnerable targets. In those previous events, the numbers of affected instances were also quite high. In a blog post at the time, the Fidelis Threat Research Team tallied the number of exposed Hadoop installations to between 8,000 and 10,000 worldwide. “A core issue is similar to MongoDB, namely the default configuration can allow “access without authentication. This means an attacker with basic proficiency in HDFS can start deleting files,” they wrote.

That lack of authentication is the same problem affecting those 15,000 unsecured Elasticsearch servers this week.

All organizations that run public cloud services should take steps to ensure those resources require proper authentication to access. Even if the owners of those cloud resources don’t value what is running in those clouds, or don’t believe their data is of value to attackers and criminals, the cloud resources and capacity is actually valuable to all types of attackers.

That means these things can be used to launch denial-of-service attacks, attacks against PoS systems (as was the case discovered this week), or any other type of attack the criminals can imagine.

All of us, as users of the internet and cloud resources, are placed at risk by these users who don’t take security and good system hygiene seriously. And it’s past time everyone takes securing the systems they control seriously if they don’t already.


  1. […] Trove of infected Elasticsearch nodes uncovered […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.