Thousands of Elasticsearch Servers Hijacked to Host PoS Malware

Over 4,000 insecure Elasticsearch servers have been hosting the point-of-sale malware Alina and JackPoS.

Thousands of insecure Elasticsearch servers are hosting point-of-sale malware, according to an analysis by Kromtech Security Center. In total, researchers found 15,000 insecure Elasticsearch servers with 27 percent (4,000) hosting the PoS malware strains Alina and JackPoS.

“The absence of authentication on some Elasticsearch servers allowed attackers to take full administrative control on the exposed instance,” wrote Bob Diachenko, Kromtech’s chief communication officer on Tuesday in a blog post outlining the research.

Insecure servers, he said, have opened the door for hackers to use them for a wide range of illegal activities such as stealing or destroying hosted data and using servers to hide command-and-control servers for PoS malware strains.

Kromtech said 99 percent of compromised ElasticSearch servers were hosted on Amazon Web Services’ platform. “Every infected ES Server became a part of a bigger PoS botnet with command-and-control (C&C) functionality for PoS malware clients,” Diachenko wrote.

Of those hosting malware, servers were enlisted in the PoS campaigns to to collect, encrypt and transfer credit card information stolen from PoS terminals, RAM memory or infected Windows machines.

Alina and JackPoS, PoS malware that attempts to scrape credit card details from computer memory was found on the servers.

According to analysis of PoS malware published by Arbor Networks in 2014 the Alina malware was developed in March 2012,

Kromtech said it has seen new samples of Alina and JackPoS malware types and that detection rates have been low by most popular AntiVirus engines.

“Even for the relatively old C&C servers hosting sites there is not enough information and VirusTotal URL Scanner fails to detect most of it,” researchers said.

Insecure ElasticSearch, Amazon Web Services and MongoDB databases are nothing new. Over the past 12 months there have been numerous instances of the cloud-based servers either having data destroyed, held for ransom or sensitive information leaked.

In January, 360 instances of ElasticSearch were wiped out according to security researcher Niall Merrigan. At the time, Shodan founder John Matherly estimated 35,000 AWS ElasticSearch servers were configured incorrectly and left open to the internet.

Similarly, in the same January timeframe, Merrigan reported a massive uptick in the number of MongoDB databases hijacked and held for ransom: 28.000.

Misconfigured AWS S3 storage buckets are also being blamed for a rash of leaky servers.

In July, security experts found anywhere between six million and 14 million Verizon customers were left on an unprotected server belonging to a partner of the telecommunications firm. The week before, wrestling giant World Wide Entertainment accidentally exposed personal data of three million fans. More recently, on Sept. 5, four million Time Warner Cable records were discovered unprotected on a misconfigured AWS S3.

Suggested articles