Following a publicly reported vulnerability in Elasticsearch’s Groovy scripting engine earlier this year, reports of widespread scanning and exploitation attempts began to circulate. In order to better understand the motivations and resources of attackers actively exploiting this vulnerability, Novetta has designed an open-source honeypot that simulated servers running vulnerable Elasticsearch instances and deployed a network of the honeypots consisting of several geographically distributed instances; Novetta has also created a video tutorial detailing how to set up the honeypot for interested researchers. Our subsequently collected data, presented in the following in-depth report, highlight how potentially multiple actors are exploiting the Elasticsearch vulnerability to create DDoS botnet infrastructures using the Elknot and BillGates DDoS malware.
The Elknot and BillGates malware have been discussed by researchers previously to various degrees of technical detail; this report provides an extensively detailed analysis of each malware family and their denial-of-service (DoS) capabilities. While the two malware variants share a common code base that suggests they share the same author(s), there are notable differences between them. For instance, Elknot only has basic DoS capabilities, while BillGates contains capabilities such as remote shell functionality in addition to DoS attacks; both, however, provide attackers with a diversity of attack modes.
Details gathered from the attacks observed by Novetta are also examined in the report, including attack scripts and DDoS targets. Notably, the observed attacks appeared to be carried out largely by separate actors with poor operational security and rudimentary scripting capabilities. Attacks were successful due in part to the ease of exploitation of the Elasticsearch vulnerability in addition to instructions made available on underground forums for creating a deployment system for the attacks. With available tutorials and the appropriate tools, even less-technical attackers could effectively create a sizeable DDoS botnet capable of generating a significant volume of attack traffic; in a controlled environment, for example, Novetta observed Elknot saturating a 1 Gb/s network link. Additionally, some Elknot variants contain a secondary C2 mechanism that could allow remote access from another threat actor taking advantage of the malware’s deployment.
While attacks on Novetta’s honeypots were limited to the installation of DDoS malware, attackers could feasibly download additional malware or tools using the same Elasticsearch vulnerability in order to gain further control over a server. In fact, there is evidence to suggest that some of the actors observed by Novetta have the tools to do this. Administrators of Elasticsearch instances should apply necessary patches immediately and conduct a thorough review for possible malware infections: Novetta’s report includes YARA rules as well as other remediation steps. Additionally, it is highly suggested that Elasticsearch instances that do not need direct access by any user on the Internet should have a firewall in place to prevent such access.
Download the Elastic Botnet Report.
Visit the Novetta github to access the open source Delilah honeypot and an initial setup video tutorial.
Read the press release.