Hackers tap flaws in Amazon cloud to host DDoS botnets

News by Steve Gold

Profitable and easy-to-use vulnerability exploited by cybercriminals says security researcher

Botnets are one of those rare IT instances where the sum of the technology is potentially far greater than its constituent parts, largely because - in the case of botnets - their negative effects can be so overwhelming and pervasive.

It's because of this that a researcher has sounded the warning bell that cybercriminals are now installing DDoS botnets in the Amazon cloud resource.

Whilst this isn't the first time that botnets have been installed in the cloud, it is the first time that hackers have managed to exploit a vulnerability in the Elasticsearch (an open source search engine often used in cloud environments like Amazon EC2) distributed search engine software to install their malware.

Because Elasticsearch is a popular Java-developed open-source search engine server, some observers are concerned that the flaw has the potential to be exploited through other cloud suppliers, including Google's Compute Engine and Microsoft Azure, although no non-Amazon exploits have yet been seen.

The problem appears to stem from the fact that Elasticsearch includes default support for active scripting, but without the need for authentication and the script code needing to be sandboxed.

Unlike the vulnerability revealed by Shopify researcher Bouke van Der Bijl in May of this year, this latest flaw is both profitable and easy to use, says Kurt Baumgartner, Kaspersky Labs' principal security researcher for the Americas.

Last week, he says, his team of security researchers found new variants of the Mayday Linux trojan running on compromised Amazon EC2 server instances.

"Why hasn't Amazon forced the update of elasticsearch on its servers? How come it let such a vulnerable software run on its servers? Usually, companies pay big money for hosting to Amazon to have some peace of mind. I don't think Amazon was up to any of its customers' standards," asked a reader on the Securelist posting.

"I agree that it's the job of a company to ensure that its Web site is secure, but it's not their job to ensure that the environment they're running on is secure, particularly if they're using a cloud service such as Amazon," the reader added.

Over at Check Point, the security vendor's managing director Keith Bird said that, given the profile of Amazon's hosting services it is unsurprising that hackers will be targeting it for attack.

"To cope with this level of malicious activity, companies need to have mitigation plans in place, and consider defensive tools against DDoS, using either on-premise technology or cloud-based scrubbing services," he explained.

According to Bird, although DDoS - as a security attack - peaked as an attack vector in 2010, Check Point's 2014 Security Report found that it remains the fourth most common way for cybercriminals to attack an organisation, accounting for 23 per cent of all incidents last year.

James Brown, director of solution architecture EMEA at Alert Logic, disagreed with with any suggestion that  Amazon needs to resolve the issue, as he says that, depending on the hosting platform, the customer is usually responsible for some or all of the applications security.

"Amazon Web Services (AWS) is very clear in stating that customers are responsible for keeping their application software up to date and goes into some level of detail on the ‘Shared Security Model' that it uses," he noted, adding that the service provides a very secure infrastructure base that a customer can build upon, but customers have to take the responsibility of securing the applications that run on the AWS platform, as this is not something that the service can do for you.

"In this case it appears that an old version of a popular open source search engine server had a known vulnerability which has been exploited. Keeping software up to date is a critical component of security, as well as running security software that is native to cloud environments to help detect and prevent breeches," he said, adding that, with its rapid provisioning model, scalability and monthly consumption model, cloud security can be far cheaper and easier to run than people realise.

AWS contacted SC to point out that it first notified customers of potential security concerns with open source software, Elasticsearch, on May 29, 2014.   It also issued a statement to SC saying: "Elasticsearch is not a software offering specific to AWS, and therefore presents a security concern for any service provider with customers that choose to use Elasticsearch in a manner inconsistent with security best practices.

"AWS customers can easily follow our recommended best practices to mitigate the Elasticsearch exposures, including using EC2 Security Groups to restrict access and disabling the dynamic script execution support in Elasticsearch. For more information, see http://aws.amazon.com/security/security-bulletins/possible-insecure-elasticsearch-configuration/

"Additionally, AWS employs various fraud and abuse mitigation mechanisms.  We investigate all reports of abuse and take swift action against any activity that violates our AUP, up to and including suspension or termination of offending AWS accounts.  Anyone, including security researchers, who believe they have observed abusive activity from AWS are welcome to report their concerns in a timely manner by visiting https://aws.amazon.com/contact-us/ or emailing AWS Security via aws-security@amazon.com."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews