The hole is thanks to a vulnerability in distributed search engine software Elasticsearch which is a popular open-source search engine server. The software was developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface).
Elasticsearch is commonly used in cloud environments and is used on the Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms.
Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. For some reason this does not require authentication which is how the malware writers have broke into the systm.
Elasticsearch’s developers have not released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default.
Kaspersky Lab has found variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks.
One of the new Mayday variants was found running on compromised Amazon EC2 server instances.
Kaspersky Lab researcher Kurt Baumgartner said that it was not the only victim. The attackers break into virtual machines run by Amazon EC2 customers by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x, which is still being used by some organisations in active commercial deployments despite being superseded by Elasticsearch 1.2.x and 1.3.x.
Baumgartner saw the early stages of the Elasticsearch attacks and that the hackers modified publicly available proof-of-concept exploit code for CVE-2014-3120 and used it to install a Perl-based Web shell. This gave them a backdoor script that allows remote attackers to execute Linux shell commands over the Web. The script, downloads the new version of the Mayday DDoS bot, detected as Backdoor.Linux.Mayday.g.