Researchers discovered that nearly 4,000 Elasticsearch servers on Amazon Web Services (AWS), cloud, are infected by malware that targets point of sale (PoS).
This finding is based on a report by Kromtech Security Center. They provide security, backup, and analytics solutions for Macs. Kromtech announced Tuesday that more than 15,000 instances Elasticsearch, an open-source search and analytics engine, were discovered.
Around 4,000 of the exposed instances were infected with at least one type of PoS malware, JackPOS or AlinaPOS. These two types infect PoS devices and steal customers’ credit card information. JackPOS and AlinaPOS appeared for the first time in 2012. However, there is evidence that they are still being sold by hacking groups like VX Heaven.
Kromtech Chief Communications Officer Bob Diachenko stated that the Elasticsearch instances were left open to the public, allowing cyber criminals to install PoS malware. “The lack authentication allowed the installation malware on the ElasticSearch servers. Cyber criminals can manage the entire system with full administrative privileges through the public configuration. He wrote that once the malware was installed, criminals could remotely access server resources and launch a code execution in order to steal or destroy any data saved on the server.”
Kromtech estimates that 99 percent of those exposed servers are stored on AWS. Kromtech attributes this to customers who took advantage of AWS’ free usage tier for its instances of t2.micro computing. This free usage offer is only for Elasticsearch versions 1.5.2 and 2.3.2, which reached their end of life just over one year ago according to this Elasticsearch support webpage.
It’s not surprising that these two versions accounted for the majority of infected Elasticsearch instances. Version 1.5.2 accounted to 52 percent and version 2.3.2 for 47 percent.
Diachenko also suggested that AWS’ setup process might not have raised enough security concerns for users configuring Elasticsearch instances. The Amazon hosting platform allows users to set up the ElasticSearch cluster in a few clicks. However, most people don’t bother with security configuration because they are so quick to install. A simple error can have huge repercussions, as it did in this case by exposing a large amount of sensitive data.” he wrote.
These Elasticsearch instances were infected by the PoS malware. Diachenko stated that “every infected ES [Elasticsearch] Server was a part of a larger POS Botnet with Command and Control functionality (C&C), for POS (points-of-sale).” These clients are stealing, encrypting, and transferring credit card data from infected Windows machines, RAM memory, or POS terminals.
Kromtech reported that the latest infections occurred at the end of August. Kromtech recommends that administrators restrict access to their infrastructure to only trusted IPs to ensure that Elasticsearch patches are current and to reinstall any systems they suspect have been compromised.