Attackers have figured out a new way to get Amazon’s cloud service to wage potent denial-of-service attacks on third-party websites—by exploiting security vulnerabilities in an open source search and analytics application known as Elasticsearch.
The power of Backdoor.Linux.Ganiw.a was documented earlier this month by researchers from antivirus provider Kaspersky Lab. Among other things, the trojan employs DNS amplification, a technique that vastly increases the volume of junk traffic being directed at a victim by abusing poorly secured domain name system servers. By sending DNS queries that are malformed to appear as if they came from the victim domain, DNS amplification can boost attack volume by 10-fold or more. The technique can be especially hard to block when distributed among thousands or hundreds of thousands of compromised computers.
Late last week, Kaspersky Lab expert Kurt Baumgartner reported that the DDoS bot is actively compromising Amazon Elastic Cloud Computing (EC2) hosts and very possibly those of competing cloud services. The foothold that allows the nodes to be hijacked is a vulnerability in 1.1.x versions of Elastisearch, he said. The attackers are modifying proof-of-concept attack code for the vulnerability, indexed as CVE-2014-3120 in the Common Vulnerabilities and Exposures database, that gives them the ability to remotely execute powerful Linux commands through a bash shell Window. The Gani backdoor, in turn, installs several other malicious scripts on compromised computers, including Backdoor.Perl.RShell.c and Backdoor.Linux.Mayday.g. The Mayday backdoor then floods sites with data packets based on the user datagram protocol.
“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers,” Baumgartner wrote. “The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.”