Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch
(Dec 12, 2018)
A cryptomining attack was observed to be exploiting known vulnerabilities for search engine "Elasticsearch" that are registered as "CVE-2015-1427" and "CVE-2014-3120," according to researchers at Trend Micro. CVE-2015-1427 is a vulnerability in Elasticsearch's "Groovy" scripting engine that can allow for remote arbitrary commands to be executed. CVE-2014-3120 is a vulnerability in Elasticsearch's default configuration that can allow for remote execution of arbitrary MVEL expressions and Java code. The attacks attempt to install cryptominers onto the infected machine through running a command that attempts to distribute a bash script to evoke the shell to run and download the mining malware. The threat actor will then run arbitrary commands to obtain privilege escalation and attempt to pivot to other systems connected to the network. The actual mining file is called "devtools" in the script in an attempt to obfuscate it on the machine, and once installed, it will search for other miners in the system and kill those to prevent them from restarting so it has sole control. It runs every ten minutes to mine for as much cryptocurrency as possible from the system. It is unclear whether the malware is mining for a specific type of cryptocurrency.
Recommendation: Elasticsearch no longer supports these vulnerable versions, so it is crucial to update your system to the latest versions that are secure and protected. Having antivirus software will help protect against arbitrary code running without permissions as well as monitor against suspicious activity on your system. Also maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.