Multistage Attack Delivers BillGates/Setag Backdoor to Turn Elasticsearch Servers into DDoS Botnet


Elasticsearch Servers

A new multistage attack exploiting Elasticsearch servers using the old unpatched vulnerability to invoke a shell with a crafted query and encoded Java commands. The attack aims to deliver BillGates/Setag Backdoor against vulnerable Elasticsearch servers.

The attack targets the already patched vulnerability in the Groovy scripting engine (versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2) and the vulnerability can be tracked as CVE-2015-1427 it allows attackers to evade sandbox and to execute arbitrary shell commands via a crafted script.

Read more…