Cybercriminals have been launching DDoS attacks from Amazon cloud-based bots after gaining access via a known vulnerability in open source search engine Elasticsearch, according to researchers.
Elasticsearch is often used in cloud environments like Amazon EC2 thanks to its distributed architecture, although it can also be deployed to other platforms like Microsoft Azure.
As such, the DDoS-related compromize may not only have happened to EC2 customers, according to Kaspersky Lab principal security researcher Kurt Baumgartner.
The attackers break into EC2 VMs by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x and then use a new variant of Linux DDoS Trojan Mayday – Backdoor.Linux.Mayday.g – to launch their attacks, he explained.
“The [Mayday variants] in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution,” he added in a blog post.
“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers.”
Elasticsearch 1.1x customers were urged to upgrade to newer versions as soon as possible.
James Brown, EMEA director of solution architecture Alert Logic, argued that according to Amazon’s Shared Security Model, customers are responsible for keeping their app software, like Elasticsearch, up-to-date.
“The victims of these attacks could have been hosted on any cloud platform, hosted services or even on-premise – if you run applications with known vulnerabilities in them, you are running a huge risk,” he added.
“This is not an AWS issue; it is an issue for whoever administers those servers. With the shared security model that cloud platforms provide, it is vital that customers use tools like Intrusion Detection Systems, Vulnerability Detection, Web Application Firewalls and Log Management to build upon the security that their provider is giving them.”
It is thought that the cybercriminals launching these DDoS attacks are financially motivated, given that two high profile victims so far have been a large regional US bank and a Japanese electronics maker.