Popular Search Engine Under Threat From Malicious Malware For Crypto Mining Purposes

Popular Search Engine Under Threat From Malicious Malware For Crypto Mining Purposes

At the start of the week, the Elasticsearch search engine was under threat of being transformed into experienced cryptocurrency mining botnet which would be used in distributed denial of service attacks (DDoS).

The cybersecurity firm Trend Micro describes a new malware strain that launches multi-stage attacks on publicly accessible databases and servers that run old versions of Elasticsearch software.

Trend Micro has said:

“[…] Many of the malicious traffic or attacks that we see targeting Elasticsearch are relatively straightforward, and more often than not, profit-driven.”

They continue: 

“An attacker looks for unsecure or misconfigured servers or exploit old vulnerabilities, then drop the final payloads that typically consist of cryptocurrency-mining malware or even ransomware.” 

To explain how the malware actually works, let’s talk about servers. Specifically, out of date servers which are forced to download and execute a number of dangerous scripts with fraudulent intentions.

“The ways that the scripts are retrieved are notable,” said Trend Micro. “Using expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected.”

The first-stage script attempts to basically turn off the firewalls running on the targeted machine (if any), and then it kills anything trying to fight it off or any cryptocurrency mining processes that are already occurring.

The Next Web report:

“This secondary script generally prepares the host for delivery of the final payload by stopping firewalls, removing configuration files, and scrubbing traces of the initial infection.

The end result is a machine loaded with the BillGates/Setag malware, which is capable of hijacking systems, initiating DDoS attacks, and even linking up with other infected machines to form powerful botnets.”

Researchers from Trend Micro have cautioned that any malware that evades detection and features multi-stage execution isn’t something to avoid, or as they put it, a ‘red flag’.

“That the cybercriminals (or threat actors) behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks.” 

So if you are a constant user of Elasticsearch products then we advise you to patch them as soon as possible, as well as looking into their guidelines on how to allow and configure security features.

Investment Disclaimer
Related Topics: