Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet “Zombies” (Jul 23, 2019)
Threat actors are targeting Elasticsearch servers with the objective of installing backdoors that use the infected hosts for a larger botnet used to conduct Distributed Denial-of-Service (DDoS) attacks. The actors behind this campaign are scanning the internet for publicly accessible Elasticsearch servers to exploit a previously-patched vulnerability, registered as “CVE-2017-1427,” located in the Groovy scripting engine. CVE-2015-1427 affects Elasticsearch. Post exploitation, the “Setag” backdoor is installed that is capable of stealing system information and launching DDoS attacks. Setag is also capable of exploiting a vulnerability in Apache Struts 2 registered as CVE-2017-5638 and appears to be similar to “BillGates” malware which is also capable of hijacking systems and DDoS attacks.
Recommendation: Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.