Elasticsearch Servers Hijacked to Host PoS Malware

During August 2017, it was discovered that a number of ElasticSearch servers had been hijacked to host Point of Sale (PoS) malware. 99% of servers infected are hosted in Amazon Web Services (AWS).

Threat ID:: CC-1657
Category:: Spyware
Threat Severity:: Medium
Threat Vector:
Published:: 21 September 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

During August 2017, it was discovered that a number of ElasticSearch servers had been hijacked to host Point of Sale (PoS) malware. 99% of servers infected are hosted in Amazon Web Services (AWS).

Affected platforms

The following platforms are known to be affected:

ElasticSearch

Threat details

Two strains of malware have been detected on the servers, AlinaPOS and JackPOS. These two malware strains are very popular among threat actors and have been in the wild since 2012.

AlinaPoS is used to scrape Credit Card (CC) data from Point of Sale (PoS) software. JackPOS is another PoS malware, which gathers credit card information. It then uses command-and-control (C2) to ex-filtrate the stolen credit card data. JackPOS also uses its C2 to remove itself or download and install an updated copy of itself.

Over 16,000 ElasticSearch servers have been discovered which were configured with no authentication. Each infected ElasticSearch server has become a part of a larger PoS botnet with command-and-control functionality PoS malware clients.

Remediation steps

Type	Step
	Proper configuration of servers should be conducted, ensuring a strong secure password is used. Regularly monitor log files, connections and traffic to open ports and close all ports that are not used. Reinstall all compromised systems. Users should install the Security Logstash product included in the X-pack add-on, Security allows users to add Authentication, Authorisation and encryption to the Elasticsearch system.

Type

Step

Proper configuration of servers should be conducted, ensuring a strong secure password is used.
Regularly monitor log files, connections and traffic to open ports and close all ports that are not used.
Reinstall all compromised systems.
Users should install the Security Logstash product included in the X-pack add-on, Security allows users to add Authentication, Authorisation and encryption to the Elasticsearch system.

Last edited: 17 February 2020 11:30 am