IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target Elasticsearch to set up DDoS botnet on AWS

Vulnerability in search engine software exploited by criminals

hacker attack in crossword

Hackers are exploiting a vulnerability in search engine software to install DDoS malware in AWS. The bug could also affect other cloud providers.

The flaw targets Elasticsearch, which is a Java-based open source search engine technology. This allows developers to add full-text searches to applications for various types of documents through a REST API.

The technology has a distributed architecture that can run on multiple nodes and as such is commonly used in cloud environments such as AWS, Azure and Google Compute Cloud, among others.

However, researchers at Kaspersky Labs have found that cybercriminals have exploited a flaw in the software to install DDoS malware on various clouds.

The flaw was found in Elasticsearch v. 1.1x and a scripting exploit. The software has default support for active scripting, but does not use authentication and also does not sandbox the script code.

Criminals can use the flaw to hack into EC2 VMs and then use a use a new variant of Linux DDoS Trojan Mayday – Backdoor.Linux.Mayday.g – to launch their attack, according to Kaspersky Lab principal security researcher Kurt Baumgartner.

“The [Mayday variants] in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations IP addresses to those of an anti-DDoS solution,” he said in a blog post.

“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers,” he added.

Baumgartner said “compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and misused.”

He added that the list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, “indicating the perpetrators are likely your standard financially driven cybercrime ilk”.

In a statement, Amazon said that it notified customers of "potential security concerns" about Elasticsearch on 29 May 2014.

“Elasticsearch is not a software offering specific to AWS, and therefore presents a security concern for any service provider with customers that choose to use Elasticsearch in a manner inconsistent with security best practices,” the firm said.

It urged users of Elasticsearch 1.1x customers to upgrade to the latest versions as soon as possible. More information on Elasticsearch can be found here.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Google adds stronger safeguards for Workspace accounts
collaboration

Google adds stronger safeguards for Workspace accounts

11 Aug 2022
DARPA recruits SpaceX, Intel and Amazon for major satellite network project
Network & Internet

DARPA recruits SpaceX, Intel and Amazon for major satellite network project

11 Aug 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022
Google Cloud launches first Arm-based virtual machines
virtual machines

Google Cloud launches first Arm-based virtual machines

14 Jul 2022

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022