Botnet point-of-sale (POS) malware has infected nearly 4,000 publicly accessible ElasticSearch (ES) nodes, 99 percent of which are hosted in Amazon Web Services (AWS), according to the Kromtech Security Center. ES is a distributed, RESTful search and analytics engine designed to provide centralized data storage.
Security researchers detected AlinaPOS and JackPOS malware on ES servers. These malware attempt to scrape credit card details using a variety of techniques, Kromtech said in a prepared statement.
The ES infections date back to August 2016, Kromtech stated, and several infections took place as recently as last month.
ES's public configuration enabled hackers to launch botnet POS malware to manage servers with full administrative privileges, Kromtech said. Also, the malware allowed hackers to remotely access an ES server's resources and execute a code to steal or destroy any data on the server.
Each infected ES server became a part of a bigger POS botnet with command and control functionality for POS malware clients, Kromtech pointed out. These clients could be used to collect, encrypt and transfer credit card information stolen from POS terminals, RAM memory or infected Windows machines.
In addition, the AWS hosting platform gives users the ability to configure an ES cluster in a few clicks, but most users skip all security configuration steps during the installation process, Kromtech stated. Failure to properly safeguard ES servers against malware and other cyber threats puts users' sensitive data at risk.
"AWS and ElasticSearch both provided default insecure configurations, and these provide the criminal underground with a free attack platform to steal money from unsuspecting card holders," Chris Calvert, co-founder of Respond Software, told MSSP Alert.
Tips for Effective ES Botnet POS Malware Response
The ES botnet POS malware can cause long-lasting problems, and Kromtech provided the following recommendations for effective response:
- Check the log files on servers in your infrastructure.
- Evaluate all connections and traffic.
- Capture a screenshot or backup of all running systems.
- Collect malware samples; these samples can be sent to Kromtech for analysis.
- Reinstall all compromised systems.
- Install the latest ES patch.
- Close all non-used ports from external access.
Furthermore, the malware shows software vendors eventually will need to provide solutions in a "default secure" condition rather than expect users to figure out security best practices on their own, Calvert stated.
