ElasticSearch POS Malware
During August 2017, it was discovered that a number of ElasticSearch servers had been hijacked to host Point of Sale (PoS) malware. 99% of servers infected are hosted in Amazon Web Services (AWS).
Two strains of malware have been detected on the servers, AlinaPOS and JackPOS. These two malware strains are very popular among attackers and have been in the wild since 2012.
AlinaPoS is used to scrape Credit Card data from Point of Sale (PoS) software. JackPOS is another PoS malware, which gathers credit card information. It then uses command-and-control (C2) to exfiltrate the stolen credit card data. JackPOS also uses its C2 to remove itself or download and install an updated copy of itself.
Over 16,000 ElasticSearch servers have been discovered which were configured with no authentication. Each infected ElasticSearch server became a part of a larger PoS botnet.
Affected Platforms:
ElasticSearch
Resolution:
- Secure configuration of servers should be implemented, ensuring a strong password is used
- Regularly monitor log files, connections and traffic to open ports and close all ports that are not used.
- Reimage all compromised systems.
- Users should consider the Security Logstash product included in the X-pack add-on. Security allows users to add authentication, authorisation and encryption to the ElasticSearch system.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.