A recently detected attack campaign is attempting to ensnare Elasticsearch clusters into a distributed denial of service (DDoS) botnet, Trend Micro reports.
The multi-stage attacks leverage scripts to ultimately deliver backdoors to the targeted servers and turn them into DDoS bots.
As part of the attack, the threat actor searches for exposed or publicly accessible Elasticsearch databases/servers. A shell is invoked with an attacker-crafted search query with encoded Java commands and then the first malicious script is downloaded.
The first-stage script attempts to shut down the firewall and any competing cryptocurrency mining programs already running on the target server. Next, a second-stage script is retrieved, likely from a compromised website.
The actor behind these attacks is believed to be using expendable domains to quickly swap URLs when they are detected. By abusing compromised websites, the attackers can evade detection,
Trend Micro says.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
