Thousands of insecure ElasticSearch servers host PoS malware

by Linas Kiguolis - -

Kromtech Security Center[1] recently reported that the massive ElasticSearch is infected by a point-of-sale (PoS) malware botnet. In total, about 15,000 insecure Elasticsearch servers were found with approximately 4,000 of them hosting Alina and JackPoS malware.


According to Kromtech’s executive communication officer, Bob Diachenko, the attacks can be caused by default authentication. This allows hackers to take over the full administrative control on the disclosed instance. He agrees that insecure servers have revealed opportunities for hackers to exploit them in order to steal or destroy hosted data and hide command-and-control (C&C) servers for PoS viruses.

Amazon Web Services platform has hosted 99% of all the infected ElasticSearch servers. B. Diachenko notes that “Every infected ES Server became a part of a bigger PoS botnet with C&C functionality for PoS malware clients”.

As a result, infected servers were enrolled in the PoS campaigns in order to obtain, encode and transfer bank account information that was stolen from infected Windows devices, RAM memory or PoS terminals.

Kromtech also adds that new versions of Alina and JackPoS were seen. Unfortunately, they have low detection rates.

Thus, C&C server hosting portals do not contain enough data and AntiVirus engines fail to spot them.

Actually, these insecure ElasticSearch, MongoDB and Amazon Web services weren’t a secret for quite some time – there were many cases when data from the cloud-based servers was destroyed, held and/or leaked.

As was stated by Niall Merrigan, at the beginning of 2017, over 360 of ElasticSearch were infected by PoS malware. In addition, at the same time John Matherly, CEO and founder of Shodan, predicted that there are over 35,000 insecure and accessible ElasticSearch servers which attackers can easily take advantage of.[2]

The massive increase was reported by N. Merrigan: a number of 28,000 of MongoDB databases were kidnapped and kept for a ransom in January. In addition, Misconfugured AWS S3 storage buckets[3] may have an impact on servers’ security and protection.

In July, security professionals noticed that 6-14 million of Verizon consumers were left on an insecure server. Moreover, World Wide Entertainment unintentionally left its wresting fans’ personal information on an unprotected server.[4]

More recently, a few millions of insecure Time Warner Cable records were found on a incorrectly configured AWS S3.

About the author

Linas Kiguolis
Linas Kiguolis - Senior IT developer

Linas Kiguolis is a senior IT developer and news editor at He has a major in Applied Computer Science because IT has been his passion for a very long time even before he went to college.

Contact Linas Kiguolis
About the company Esolutions


now online
Like us on Facebook