Trusted DesignElasticsearch [link] has vulnerability which is now exploited in the wild, this post is one of the attack which aiming the CVE-2015-1427 [link], quoted: a vulnerability in Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. Elasticsearch's Groovy dynamic scripting disabled by default from v1.4.3 due to this vulnerability [link], which is a recommendable way to mitigate this on going attack. In this incident, the attacker is using the shell command to download and execute the malware shell script file, to collect sensitive information of the unix system hosted by Elasticsearch and send it to the remote host, parallel with download+install the ELF malware functioned as the botnet agent backdoor & downloader on the victim's host.It also audits the victim's system with Lynis [link] and send the result to the remote host too.
Created: 2026-02-23
Indicatorsは見つかっていない。