Ann Day honey network capture“use of the ElasticSearch Groovy vulnerability Monroe coin(Dog)mining”event analysis-vulnerability warning-the black bar safety net

1, Overview
2019 6 May 13, Ann Day honey network capture to use CVE-2015-1427(ElasticSearch Groovy)remote command execution vulnerability attacks. The vulnerability principle is Elaticsearch groovy as a scripting language, and based on the use of black and white lists of the sandbox mechanism to limit risk of code execution, but the mechanisms are not stringent enough, it can be bypassed, thus resulting in remote code execution. Ann day of the event for a detailed sample analysis, and to the prevention and repair recommendations.
2, the sample analysis
2.1 key attack load
From the attack load point of view, the attacker by groovy as the script language, to _search? pretty page sends a segment with a malicious link into the http://185.181.10.234/E5DB0E07C3D7BE80V520/init. sh json script, a malicious shell script to download, in order to achieve remote code attacks, and mining the behavior.
!
Figure 2-1 contents of the packet
After decryption core codes:
!
Figure 2-2 the core code
2.2 sample analysis

1. 入侵脚本分析-init.sh
   The attacker via http://185.181.10.234/E5DB0E07C3D7BE80V520/init. sh download and execute a malicious script init. sh to implant the Dog mining procedures, while for the host to be scanned and a series of operations.
   !
   Figure 2-3 turn off the firewall
   After the execution turn off the firewall, turned off selinux and release the resources occupied, kill the other with mining related processes, set the timing tasks 每30分钟下载一次可执行文件update.sh for ssh permissions for iptables rules to forward modifications, while clean-up related operation History, Log and other operations.
   !
   Figure 2-4 check and kill the presence of other mining processes
   !
   Figure 2-5 set the timing of the task
   !
   Figure 2-6 a malicious script download address, backup address, and the size of the set
   !
   Figure 2-7 clean up the related logs, history
   In this process, the script will check the sysupdate, networkservice, and sysguard this 3 process is started, if not then start.
   !
   Figure 2-8 when one is kill off after, scheduling the file to restart
2. sample analysis—sysguard, networkservice, and sysupdate
   Three samples of go language and the use of UPX shell, the corresponding main_main function of the structure are as follows:
   !
   Figure 2-9 sysguard-main_main function structure
   !
   Figure 2-10 networkservice-main_main function structure
   !
   Figure 2-11 sysupdate-main function
   By and before the capture of systemctI sample comparison, the attack is divided into mining, scanning, function calls Three process scheduling. And in the networkservice samples were found vulnerabilities related to the use of the function and the scanning function.
   !
   Figure 2-12 networkservice scan function
   By contrast prior to the capture of the sample found that the two attack methods are similar, except that the attack is by sysguard, networkservice（scanning）and sysupdate three processes jointly carried out. This also means that the discovery server after being infected to these three processes at the same time kill off.
3. configuration file—config. json
   Downloading the configuration file, we discovered more of the mine pool address:
   Table 2-1 mining pools list:
   !
   !
   Figure 2-13 s profile
   3, the affected services and vulnerabilities
   Table 3-1 affected services and vulnerabilities:
   !
   4, IOC
   Table 4-1 attack IP:
   !

[1] [2] next