Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters (Feb 26, 2019)
Cisco Talos researchers have observed an increase in threat actor activity targeting the Lucene library-based search engine, “Elasticsearch.” Researchers observed that actors are targeting Elasticsearch clusters that are using version 1.4.2 or earlier and are using vulnerabilities registered as “CVE-2014-3120” and “CVE-2015-1427.” Both vulnerabilities were deliberately chosen because they only affect older Elasticsearch versions and it is believed that approximately “six distinct actors are exploiting” the honeypots set up by researchers. It appears that the actors’ overall objective in targeting these older Elasticsearch versions is to install a cryptocurrency miner to garner an illicit profit, however, a variant of the “Spike” trojan was also observed being downloaded from an actor-controlled server via Elasticsearch.
Recommendation: Documented or older vulnerabilities, such as CVE-2014-3120 and CVE-2015-1427, are sometimes utilized by threat actors because companies often do not update their software and products for a variety of reasons. This story depicts the potential risk posed to services that are not properly maintained. It is crucial that your company has a patch application and update policies to avoid potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.