Hackers target Elasticsearch clusters in fresh malware campaign

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be attempts to place malware on victims’ machines. Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads, according to a blog post by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.