Thousands of Elasticsearch Servers Hijacked to Host PoS Malware -

Thousands of Elasticsearch Servers Hijacked to Host PoS Malware

Credit: threatpost.com

  • Sep 13 2017 20:18About: 2 months ago
  • 8 views

Thousands of insecure Elasticsearch servers are hosting point-of-sale malware, according to an analysis by Kromtech Security Center. In total, researchers found 15,000 insecure Elasticsearch servers with 27 percent (4,000) hosting the PoS malware strains Alina and JackPoS.

“The absence of authentication on some Elasticsearch servers allowed attackers to take full administrative control on the exposed instance,” wrote Bob Diachenko, Kromtech’s chief communication officer on Tuesday in a blog post outlining the research.

Insecure servers, he said, have open to door for hackers to use them for a wide range of illegal activities such as stealing or destroying hosted data and using servers to hide command-and-control servers for PoS malware strains.

Kromtech said 99 percent of compromised ElasticSearch servers were hosted on Amazon Web Services’ platform. “Every infected ES Server became a part of a bigger PoS botnet with command-and-control (C&C) functionality for PoS malware clients,” Diachenko wrote.

Of those hosting malware, servers were enlisted in the PoS campaigns to to collect, encrypt and transfer credit card information stolen from PoS terminals, RAM memory or infected Windows machines.

Alina and JackPoS, PoS malware that attempts to scrape credit card details from computer memory was found on the servers.

According to analysis of PoS malware published by Arbor Networks in 2014 the Alina malware was developed in March 2012,

Kromtech said it has seen new samples of Alina and JackPoS malware types and that detection rates have been low by most popular AntiVirus engines.

“Even for the relatively old C&C servers hosting sites there is not enough information and VirusTotal URL Scanner fails to detect most of it,” researchers said.

Insecure ElasticSearch, Amazon Web Services and MongoDB databases are nothing new. Over the past 12 months there have been numerous instances of the cloud-based servers either having data destroyed, held for ransom or sensitive information leaked.

In January, 360 instances of ElasticSearch were wiped out according to security researcher Niall Merrigan. At the time, Shodan founder John Matherly estimated 35,000 AWS ElasticSearch servers were configured incorrectly and left open to the internet.

Similarly, in the same January timeframe, Merrigan reported a massive uptick in the number of MongoDB databases hijacked and held for ransom: 28.000.

Misconfigured AWS S3 storage buckets are also being blamed for a rash of leaky servers.

In July, security experts found anywhere between six million and 14 million Verizon customers were left on an unprotected server belonging to a partner of the telecommunications firm. The week before, wrestling giant World Wide Entertainment accidentally exposed personal data of three million fans. More recently, on Sept. 5, four million Time Warner Cable records were discovered unprotected on a misconfigured AWS S3.



Follow Us on Twitter

Related stories with Thousands of Elasticsearch Servers Hijacked to Host PoS Malware

How Apple's iPhone Is Leading Our Grand March Into Mass Mediocrity -World News
How Apple's iPhone Is Leading Our Grand March Into Mass Mediocrity 2 months ago
Thanks to 10 years of Apple's iPhone, you no longer need to buy flashlight batteries, a camera or GPS ... but your reception still stinks! Cartoon by Ted Rall.
Kaspersky software banned from US government agencies -World News
Kaspersky software banned from US government agencies 2 months ago
Kaspersky: We have “never helped, nor will help, any government with cyberespionage.”
Personal touch: Modi chooses where Abe should eat, what he should visit -World News
Personal touch: Modi chooses where Abe should eat, what he should visit 2 months ago
In what was probably the first such welcome accorded to a head of government on Indian soil, Japanese PM Shinzo Abe and his host and counterpart Narendra Modi participated in a roadshow from Ahmedabad airport to Sabarmati Ashram.
Ryan's northern zone head sent to three-day police custody, HR head to judicial custody -World News
Ryan's northern zone head sent to three-day police custody, HR head to judicial custody 2 months ago
Gurgaon Police had arrested Francis and Jeyus following the gruesome murder of a seven-year-old student.
Zubeen Garg says sorry: A filmi colonel brought down to earth by real Major -World News
Zubeen Garg says sorry: A filmi colonel brought down to earth by real Major 2 months ago
The officer, a major stationed in Arunachal Pradesh, asked the singer to remove the Army cap as it was illegal for a civilian to wear a military outfit.
Assam teacher accuses colleagues of rape and conversion threats -World News
Assam teacher accuses colleagues of rape and conversion threats 2 months ago
The teacher has accused her co-workers of threatening her with rape and murder and pressurizing her to eat beef and convert to Islam.
Congress mulls change of guard in Bihar unit -World News
Congress mulls change of guard in Bihar unit 2 months ago
Congress is likely to replace its state president and leader of the legislature party as both leaders no longer enjoy the trust of the high command.
Compounding & Polishing Paint | Autoblog Details | Complete Detail Ep. 6  -World News
Compounding & Polishing Paint | Autoblog Details | Complete Detail Ep. 6 2 months ago
Filed under: Videos,Autoblog Details,Original Video On this Autoblog Details, learn the step-by-by process for compounding and polishing your paint.Continue reading Compounding & Polishing Paint | Autoblog Details | Complete Deta
1 Dead, 3 Injured Washington State High School Shooting -World News
1 Dead, 3 Injured Washington State High School Shooting 2 months ago
ROCKFORD, Wash. (AP) — A shooter opened fire at a high school in Washington state Wednesday, killing one person and injuring at least three others, authorities said. Brian Schaeffer of the Spokane Fire Department told reporters that one person died at F
Tesla Autopilot limitations played role in deadly crash, NTSB says -World News
Tesla Autopilot limitations played role in deadly crash, NTSB says 2 months ago
The National Transportation Safety Board has determined the probable cause of a May 2016 crash involving a semitruck and a Tesla Model S, in which the electric sedan drove under the truck's ...
How Jaguar and Land Rover manage to maintain separate identities -World News
How Jaguar and Land Rover manage to maintain separate identities 2 months ago
Jaguar Land Rover just showed off a new Special Vehicle Operations product called the Land Rover Discovery SVX. They also recently released the Range Rover Velar, which is quite like the Jaguar ...
Trump nominates conservative Texas lawyer to Federal Election Commission -World News
Trump nominates conservative Texas lawyer to Federal Election Commission 2 months ago
James “Trey” E. Trainor III fought efforts to require politically active nonprofits to disclose their donors.