You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
While the Elknot malware does not have direct file management or process management<br />
functionality, it would still be possible for the attackers responsible for the C2 servers that house<br />
the local privilege exploits to introduce these binaries on a victim’s machine using the exact same<br />
Elasticsearch vulnerability that led to the initial infection. However, for those using the BillGates<br />
malware, it would be a simple matter to download, decompress and execute the exploit packages<br />
thanks to the malware’s remote shell functionality.<br />
The use of such old exploits, the automated manner by which the Elasticsearch exploitation was<br />
performed, and the lack of observed lateral movement indicates that the actors involved with the<br />
construction of the DDoS botnet have little real interest in data theft, but rather resource theft.<br />
Moreover, the actors appear to have little more than “script-kiddie” skill levels as the tools being<br />
used by the actors are easily acquired and meant to be deployed practically off the shelf, requiring<br />
almost no customization for a victim’s machine. Regardless of the actors’ skill level, the fact that the<br />
Elasticsearch vulnerability is so easily exploited means that very little skill is necessary to develop a<br />
large-scale DDoS infrastructure.<br />
The lack of operational technical skill is also mirrored in the lack of operational security demonstrated<br />
by the actors, which has been highlighted previously in MMD’s analyses of this malware. As Novetta<br />
observed with Delilah, the use of HFS instances provides a fast means for sharing content, but it<br />
also reveals information such as the number of times a particular file has been downloaded, which<br />
in turn reveals how pervasive a particular actor is. It was also not uncommon to find additional, nonattack<br />
related files within the HFS instance. For example, one particular actor routinely shared out<br />
what appeared to be a Legends of Mir game server. Additionally, one of the HFS instances frequently<br />
would share out text files containing brute force password dictionaries, lists of Elasticsearch instances<br />
that have been compromised, and a list of server IP addresses with their respective usernames and<br />
passwords. By crawling the various open HFS instances seen by the Delilah attack alerts, Novetta<br />
was able to capture roughly 70 files in addition to the 48 files found within the Elasticsearch attacks.<br />
Collectively, the nearly 120 files provide a wealth of information on the attacker’s motivations, tools,<br />
and practices.<br />
8. DETECTION/REMEDIATION STRATEGIES<br />
Clearly the first remediation activity that an administrator should perform is to apply the necessary<br />
patches to their Elasticsearch instances on a continual basis. While this will not remediate existing<br />
infections, it will prevent an uninfected instance from succumbing to the current threat. Along these<br />
same lines, it would be advisable for any Elasticsearch instance that does not need direct access by<br />
any individual on the Internet to have a firewall in place to prevent such access.<br />
Removal of the Elknot malware is a simple matter of rebooting the victim server. There is no<br />
persistence included within Elknot, therefore merely rebooting the server will flush the infection. This<br />
being said, a forensic analysis of the victim server should be performed as other malware, unrelated<br />
to Elknot, may have been introduced via the Elasticsearch vulnerability.<br />
Administrators can use the following two YARA signatures to detect the presence of the Elknot<br />
payload and its dropper on an infected host:<br />
THE ELASTIC BOTNET REPORT<br />
59
Change language