More than 4,000 misconfigured Elasticsearch nodes, most of them running on Amazon Web Services’ platform, have been hijacked by attackers to host malware command-and-control servers.
The compromised nodes were discovered by researchers from security firm Kromtech Alliance, who were researching Elasticsearch servers that had been configured by their owners to be publicly accessible without authentication. They noticed that aside from their owners’ information, some of clusters had data records mentioning the AlinaPOS and JackPOS malware programs.
Elasticsearch is a big data search engine that’s popular in enterprise environments. It’s typically used in conjunction with log collection, data analytics and data visualization platforms.
AlinaPOS and JackPOS are memory-scraping malware programs that infect point-of-sale systems and siphon off credit card information as it’s being processed.
“The Amazon hosting platform gives users the possibility to configure the ElasticSearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process,” the Kromtech researchers said in a blog post. “This is where a simple mistake can have big repercussions and in this case, it did by exposing a massive amount of sensitive data.”
This is not the first time attackers have hit insecure Elasticsearch deployments. In January, hackers wiped data from hundreds of such servers and left behind ransom notes. At the time, researchers put the number of publicly exposed Elasticsearch deployments at around 35,000.
Organizations that run Elasticsearch clusters in the cloud should make sure their deployments are properly secured, even if they don’t consider the data inside to be sensitive. Otherwise, these servers could become a valuable resource for cybercriminals.
Kedi Trojan Poses as Citrix Tool and Steals Data via Gmail
Security researchers from Sophos have come across a remote access Trojan (RAT) program distributed through targeted spear-phishing campaigns. The malicious installer masquerades as an update for the Citrix NetScaler Unified Gateway, a single sign-on and federated identity tool for accessing SaaS applications.
The RAT executable file mimics the Citrix tool both through the file properties and the splash screen displayed on startup, the Sophos researchers said in a blog post.
The malicious program can download and install additional backdoors, can record keystrokes and can take screen shots on infected computers. It also steals information that identifies the compromised environment such as usernames, computer names and domains.
However, what makes Kedi stand out is its ability to receive commands and exfiltrate data through the basic HTML version of Gmail. According to the Sophos researchers, the Trojan program navigates to the Gmail inbox, parses the last unread message and executes any commands found inside. The data obtained as a result of those commands is encoded and sent back as a reply to the original email message.
Kedi can also communicate with its command-and-control server via DNS or HTTPS, but the Gmail method was probably added for situations where the attackers didn’t want to risk tripping network firewalls with direct communication over traditional protocols.
“It’s interesting to see how attackers keep trying to be more inventive in their approach to call home and make it harder for the good guys to detect and block its activity,” the Sophos researchers said.
SAP Fixes Flaws in Point of Sale for Retail Solution
Business software vendor SAP released security patches for 23 vulnerabilities in its products this week. Three of the flaws are rated as high severity and two are located in its Point of Sale for Retail client-server solution that’s used by many of the world’s largest retailers.
One of the SAP POS for Retail “Security Notes” was actually released out-of-band in August but was also included in this month’s scheduled update. It’s an addition to an existing patch for a vulnerability reported in April in the SAP POS Xpress Server component.
The original flaw stemmed from missing authentication checks and could have allowed attackers to gain unrestricted access to the point-of-sale system’s backend server. The patch for the vulnerability was released in July, but researchers from security firm ERPScan later discovered that the authorization check it implemented could be bypassed. SAP has now added additional encryption and authentication to the Xpress Server communication channel.
Another vulnerability fixed in this update resulted from the use of hard-coded credentials in the Store Manager component of the SAP POS solution. This flaw could have allowed users to access resources that should not normally be available to them.
“Organizations are encouraged to implement the appropriate patches as soon as possible to protect their business-critical assets,” the ERPScan researchers said in a blog post that analyzes SAP’s latest patches.