Attackers have figured out a new way to get Amazon's cloud service to wage potent denial-of-service attacks on third-party websites—by exploiting security vulnerabilities in an open source search and analytics application known as Elasticsearch.
The power of Backdoor.Linux.Ganiw.a was documented earlier this month by researchers from antivirus provider Kaspersky Lab. Among other things, the trojan employs DNS amplification, a technique that vastly increases the volume of junk traffic being directed at a victim by abusing poorly secured domain name system servers. By sending DNS queries that are malformed to appear as if they came from the victim domain, DNS amplification can boost attack volume by 10-fold or more. The technique can be especially hard to block when distributed among thousands or hundreds of thousands of compromised computers.
Late last week, Kaspersky Lab expert Kurt Baumgartner reported that the DDoS bot is actively compromising Amazon Elastic Cloud Computing (EC2) hosts and very possibly those of competing cloud services. The foothold that allows the nodes to be hijacked is a vulnerability in 1.1.x versions of Elastisearch, he said. The attackers are modifying proof-of-concept attack code for the vulnerability, indexed as CVE-2014-3120 in the Common Vulnerabilities and Exposures database, that gives them the ability to remotely execute powerful Linux commands through a bash shell Window. The Gani backdoor, in turn, installs several other malicious scripts on compromised computers, including Backdoor.Perl.RShell.c and Backdoor.Linux.Mayday.g. The Mayday backdoor then floods sites with data packets based on the user datagram protocol.
"The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers," Baumgartner wrote. "The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk."
Elastisearch allows apps to carry out search and analytics functions on a variety of cloud services, including those of Amazon. Baumgartner said 1.1.x versions are active in some commercial deployments. The vulnerability isn't present in versions 1.2 and 1.3, in part because dynamic scripting is disabled by default. The vulnerability came to light in May.
"From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks," Baumgartner wrote. "The attackers re-purpose known CVE-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product."
It's not the first time hackers have leveraged the power of Amazon and other cloud computing services to increase the power or reach of an attack on third-party targets. In January, LinkedIn sued a gang of hackers alleged to have abused Amazon's cloud computing service to circumvent security measures and copy data from hundreds of thousands of member profiles each day. In 2011, the popular Amazon service was abused to control the nasty SpyEye bank fraud trojan. In 2009, researchers unearthed a Twitter account acting as a command and control channel for infected computers.
Update: A spokeswoman for Elasticsearch spokeswoman e-mailed to say the company has a published a list of recommended security practices here.
reader comments
19