IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target Elasticsearch to set up DDoS botnet on AWS

Vulnerability in search engine software exploited by criminals

hacker attack in crossword

Hackers are exploiting a vulnerability in search engine software to install DDoS malware in AWS. The bug could also affect other cloud providers.

The flaw targets Elasticsearch, which is a Java-based open source search engine technology. This allows developers to add full-text searches to applications for various types of documents through a REST API.

The technology has a distributed architecture that can run on multiple nodes and as such is commonly used in cloud environments such as AWS, Azure and Google Compute Cloud, among others.

However, researchers at Kaspersky Labs have found that cybercriminals have exploited a flaw in the software to install DDoS malware on various clouds.

The flaw was found in Elasticsearch v. 1.1x and a scripting exploit. The software has default support for active scripting, but does not use authentication and also does not sandbox the script code.

Criminals can use the flaw to hack into EC2 VMs and then use a use a new variant of Linux DDoS Trojan Mayday – Backdoor.Linux.Mayday.g – to launch their attack, according to Kaspersky Lab principal security researcher Kurt Baumgartner.

“The [Mayday variants] in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations IP addresses to those of an anti-DDoS solution,” he said in a blog post.

“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers,” he added.

Baumgartner said “compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and misused.”

He added that the list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, “indicating the perpetrators are likely your standard financially driven cybercrime ilk”.

In a statement, Amazon said that it notified customers of "potential security concerns" about Elasticsearch on 29 May 2014.

“Elasticsearch is not a software offering specific to AWS, and therefore presents a security concern for any service provider with customers that choose to use Elasticsearch in a manner inconsistent with security best practices,” the firm said.

It urged users of Elasticsearch 1.1x customers to upgrade to the latest versions as soon as possible. More information on Elasticsearch can be found here.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

What is SMAC?
digital transformation

What is SMAC?

30 Jun 2022
HPE upgrades GreenLake with Private Cloud Enterprise
Cloud

HPE upgrades GreenLake with Private Cloud Enterprise

28 Jun 2022
What is metaverse security?
Security

What is metaverse security?

9 Jun 2022
What is Amazon S3?
Amazon S3

What is Amazon S3?

16 May 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022