More information about how nogoodniks are using Amazon Web Services' hosting services to launch attacks and host their own malware sites is emerging. Now Kaspersky's principal security researcher has published a blog that discusses how the abuse of Elasticsearch is being used on Amazon's clouds (and possibly others) for DDoS attacks and for profitable gains.

Chris Talbot

July 31, 2014

2 Min Read
Kurt Baumgartner principal security researcher at Kaspersky Lab
Kurt Baumgartner, principal security researcher at Kaspersky Lab

More information about how nogoodniks are using Amazon Web Services‘ (AWS) hosting services to launch attacks and host their own malware sites is emerging. Now Kaspersky‘s principal security researcher has published a blog that discusses how the abuse of Elasticsearch is being used on Amazon’s clouds (and possibly others) for DDoS attacks and for profitable gains.

Basically, hackers and other cybercriminals are exploiting vulnerabilities found within Elasticsearch to deploy DDoS (distributed denial of service) attacks using Amazon Web Services. Kurt Baumgartner, principal security research of Kaspersky Lab, published a blog post in which he warned users of how hackers are using Amazon to install their malware in the cloud to launch attacks.

According to Baumgartner, even though Elasticsearch is an open source search engine server used by several organizations, the exploit has so far only appeared on Amazon Web Services clouds. However, it could be that in time these exploits could appear on other cloud infrastructure-as-a-service (IaaS) offerings such as Microsoft Azure (MSFT) and Google Compute Engine (GOOG).

“The situation is probably similar at other cloud providers,” Baumgartner wrote. “The list of the DDoS victims include a large regional U.S. bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.”

Baumgartner claims his team discovered Mayday Linux trojan variants deployed on Amazon EC2 instances. When questioned in the comments of his blost post about forced updates to Elasticsearch, Baumgartner noted that people should not hold Amazon responsible for the hosting of vulnerable software.

“They are not. The owners of the sites that spin up the EC2 instances and run Elasticsearch need to keep their software up-to-date. Amazon does not operate the elasticsearch software within the instance,” he wrote in his response.

An Amazon spokesperson told Talkin’ Cloud that it “first notified customers of potential security concerns with open source software, Elasticsearch, on May 29, 2014.  Elasticsearch is not a software offering specific to AWS, and therefore presents a security concern for any service provider with customers that choose to use Elasticsearch in a manner inconsistent with security best practices.”

Amazon provides more information on using Elasticsearch best practices on its website.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like