The trouble with Elasticsearch, Elknot, and her Big Brother, Bill Gates MalwareMcLean, VA – June 11, 2015 – Novetta, a leader in advanced analytics technology, today released The Elastic Botnet Report detailing the characteristics of attackers exploiting an ElasticSearch vulnerability to create distributed denial-of-service (DDoS) botnet infrastructures using the Elknot and BillGates DDoS malware families. Novetta’s report includes an overview of the vulnerability, details about the threat actors exploiting the vulnerability to establish DDoS botnets, a detailed analysis of the malware functionality, and remediation steps to help detect and remove infections. Novetta collected this evidence and supporting data by developing and deploying an open source honeypot named Delilah, which provides researchers the capabilities to develop similar honeypots for other research. Uncovered evidence suggests that the vulnerability, while publicly reported in 2015, was being actively exploited by attackers as of November 2014, and potentially even as early as July 2014. Following the public announcement on February 11, 2015, reports detailing large-scale scanning and exploitation of the vulnerability began to emerge, leading to a large number of compromised Elasticsearch servers with potentially sensitive information being exposed. “Our goal was to reach a better understanding of the motivations and resources of these attackers. Therefore, we developed a purpose-built honeypot environment to do just that.” says, Greg Sinclair, Novetta Director of Malware Research. “Our analysis shows the continuous scanning and exploitation of Elasticsearch servers to create a DDoS botnet infrastructure is the most visible feature of these actors and that some have continued to infect, reinfect, and maintain persistence on servers for several weeks.” The Elastic Botnet Report provides a detailed analysis of the tactics, techniques, and procedures (TTPs) used to deliver this malware, including the scripts used to exploit vulnerable Elasticsearch servers. Additionally, this report examines how the observed attacks can be linked by shared TTPs into larger patterns of activity. Additionally, this report details the observed DDoS attack commands and how those commands can be interpreted by an analyst to provide insight into the DDoS infrastructure operators. Key findings from the report include:
- This attack is unsophisticated, but effective.
- The bulk of the attacks originate from China.
- This is not an APT campaign, but the attackers do have a common playbook, including a Chinese language video tutorial.
- Most of the observed attacks dropped Elknot and BillGates, DDoS malware variants with evidence suggesting they share a common code base. While both contain functionality to support a variety of DDoS attack types, BillGates is more complex and contains additional capabilities.