Insecure Elasticsearch Nodes Host Malware Command-and-Control Servers

More than 4,000 misconfigured Elasticsearch nodes, most of them running on Amazon Web Services’ platform, have been hijacked by attackers to host malware command-and-control servers.

The compromised nodes were discovered by researchers from security firm Kromtech Alliance, who were researching Elasticsearch servers that had been configured by their owners to be publicly accessible without authentication. They noticed that aside from their owners’ information, some of clusters had data records mentioning the AlinaPOS and JackPOS malware programs.

Elasticsearch is a big data search engine that’s popular in enterprise environments. It’s typically used in conjunction with log collection, data analytics and data visualization platforms.

AlinaPOS and JackPOS are memory-scraping malware programs that infect point-of-sale systems and siphon off credit card information as it’s being processed.

“The Amazon hosting platform gives users the possibility to configure the ElasticSearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process,” the Kromtech researchers said in a blog post. “This is where a simple mistake can have big repercussions and in this case, it did by exposing a massive amount of sensitive data.”

This is not the first time attackers have hit insecure Elasticsearch deployments. In January, hackers wiped data from hundreds of such servers and left behind ransom notes. At the time, researchers put the number of publicly exposed Elasticsearch deployments at around 35,000.

Organizations that run Elasticsearch clusters in the cloud should make sure their deployments are properly secured, even if they don’t consider the data inside to be sensitive. Otherwise, these servers could become a valuable resource for cybercriminals.

Kedi Trojan Poses as Citrix Tool and Steals Data via Gmail

Security researchers from Sophos have come across a remote access Trojan (RAT) program distributed through targeted spear-phishing campaigns. The malicious installer masquerades as an update for the Citrix NetScaler Unified Gateway, a single sign-on and federated identity tool for accessing SaaS applications.

The RAT executable file mimics the Citrix tool both through the file properties and the splash screen displayed on startup, the Sophos researchers said in a blog post.

The malicious program can download and install additional backdoors, can record keystrokes and can take screen shots on infected computers. It also steals information that identifies the compromised environment such as usernames, computer names and domains.

However, what makes Kedi stand out is its ability to receive commands and exfiltrate data through the basic HTML version of Gmail. According to the Sophos researchers, the Trojan program navigates to the Gmail inbox, parses the last unread message and executes any commands found inside. The data obtained as a result of those commands is encoded and sent back as a reply to the original email message.

Kedi can also communicate with its command-and-control server via DNS or HTTPS, but the Gmail method was probably added for situations where the attackers didn’t want to risk tripping network firewalls with direct communication over traditional protocols.

“It’s interesting to see how attackers keep trying to be more inventive in their approach to call home and make it harder for the good guys to detect and block its activity,” the Sophos researchers said.

SAP Fixes Flaws in Point of Sale for Retail Solution

Business software vendor SAP released security patches for 23 vulnerabilities in its products this week. Three of the flaws are rated as high severity and two are located in its Point of Sale for Retail client-server solution that’s used by many of the world’s largest retailers.

One of the SAP POS for Retail “Security Notes” was actually released out-of-band in August but was also included in this month’s scheduled update. It’s an addition to an existing patch for a vulnerability reported in April in the SAP POS Xpress Server component.

The original flaw stemmed from missing authentication checks and could have allowed attackers to gain unrestricted access to the point-of-sale system’s backend server. The patch for the vulnerability was released in July, but researchers from security firm ERPScan later discovered that the authorization check it implemented could be bypassed. SAP has now added additional encryption and authentication to the Xpress Server communication channel.

Another vulnerability fixed in this update resulted from the use of hard-coded credentials in the Store Manager component of the SAP POS solution. This flaw could have allowed users to access resources that should not normally be available to them.

“Organizations are encouraged to implement the appropriate patches as soon as possible to protect their business-critical assets,” the ERPScan researchers said in a blog post that analyzes SAP’s latest patches.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 154 posts and counting.See all posts by lucian-constantin

One thought on “Insecure Elasticsearch Nodes Host Malware Command-and-Control Servers

Comments are closed.