“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers,” Baumgartner wrote. “The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.”
Elastisearch allows apps to carry out search and analytics functions on a variety of cloud services, including those of Amazon. Baumgartner said 1.1.x versions are active in some commercial deployments. The vulnerability isn’t present in versions 1.2 and 1.3, in part because dynamic scripting is disabled by default. The vulnerability came to light in May.
“From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks,” Baumgartner wrote. “The attackers re-purpose known CVE-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.”
It’s not the first time hackers have leveraged the power of Amazon and other cloud computing services to increase the power or reach of an attack on third-party targets. In January, LinkedIn sued a gang of hackers alleged to have abused Amazon’s cloud computing service to circumvent security measures and copy data from hundreds of thousands of member profiles each day. In 2011, the popular Amazon service was abused to control the nasty SpyEye bank fraud trojan. In 2009, researchers unearthed a Twitter account acting as a command and control channel for infected computers.
Update: A spokeswoman for Elasticsearch spokeswoman e-mailed to say the company has a published a list of recommended security practices here.