The trouble with Elasticsearch, Elknot, and her Big Brother, Bill Gates Malware
McLean, VA – June 11, 2015 – Novetta, a leader in advanced analytics technology, today released The Elastic Botnet Report detailing the characteristics of attackers exploiting an ElasticSearch vulnerability to create distributed denial-of-service (DDoS) botnet infrastructures using the Elknot and BillGates DDoS malware families. Novetta’s report includes an overview of the vulnerability, details about the threat actors exploiting the vulnerability to establish DDoS botnets, a detailed analysis of the malware functionality, and remediation steps to help detect and remove infections. Novetta collected this evidence and supporting data by developing and deploying an open source honeypot named Delilah, which provides researchers the capabilities to develop similar honeypots for other research.
Uncovered evidence suggests that the vulnerability, while publicly reported in 2015, was being actively exploited by attackers as of November 2014, and potentially even as early as July 2014. Following the public announcement on February 11, 2015, reports detailing large-scale scanning and exploitation of the vulnerability began to emerge, leading to a large number of compromised Elasticsearch servers with potentially sensitive information being exposed.
“Our goal was to reach a better understanding of the motivations and resources of these attackers. Therefore, we developed a purpose-built honeypot environment to do just that.” says, Greg Sinclair, Novetta Director of Malware Research. “Our analysis shows the continuous scanning and exploitation of Elasticsearch servers to create a DDoS botnet infrastructure is the most visible feature of these actors and that some have continued to infect, reinfect, and maintain persistence on servers for several weeks.”
The Elastic Botnet Report provides a detailed analysis of the tactics, techniques, and procedures (TTPs) used to deliver this malware, including the scripts used to exploit vulnerable Elasticsearch servers. Additionally, this report examines how the observed attacks can be linked by shared TTPs into larger patterns of activity. Additionally, this report details the observed DDoS attack commands and how those commands can be interpreted by an analyst to provide insight into the DDoS infrastructure operators. Key findings from the report include:
- This attack is unsophisticated, but effective.
- The bulk of the attacks originate from China.
- This is not an APT campaign, but the attackers do have a common playbook, including a Chinese language video tutorial.
- Most of the observed attacks dropped Elknot and BillGates, DDoS malware variants with evidence suggesting they share a common code base. While both contain functionality to support a variety of DDoS attack types, BillGates is more complex and contains additional capabilities.
Visit the Novetta github to access the open source Delilah honeypot and an initial setup video tutorial. These resources are available for researchers to download the project, stand up multiple honeypots and a honeypot monitor, and get visibility of this attacker and malware behavior in the wild. Novetta hopes this open-source contribution can provide researchers with an additional tool for the ongoing analysis of active and evolving threats.
About the Novetta Threat Research Group
Consisting of a diverse team of security researchers and analysts with backgrounds in the public and private sectors, Novetta’s Threat Research Group works to analyze, remediate, and report on advanced cyber threats through the leveraging of public and proprietary data sources, tools and techniques. Utilizing decades of combined experience, the group monitors threat actor groups continually to protect both Novetta customers and the Internet population at large. They serve as a proactive member of the security community, coordinating working groups, researching emerging malware, and developing new tools and techniques for identifying security risks before they can gain traction.
Headquartered in McLean, VA with over 650 employees across the US, Novetta has over two decades of experience solving problems of national significance through advanced analytics for government and commercial enterprises worldwide. Novetta enables customers to find clarity from the complexity of ‘big data’ at the scale and speed needed to drive enterprise and mission success. Visit www.novetta.com for more information.
Kaila Brosey, MerrittGroup, 703-390-1534, firstname.lastname@example.org