It’s being reported that more than 4,000 ElasticSearch servers are currently infected with, and actively hosting Point of Sale (PoS) malware strains. Current estimates are that approximately 99% of those infected servers are hosted on AWS.
Apparently, these servers lacked authentication controls which allowed hackers to access and manage these servers remotely. This was part of an effort by Kromtech to review accessibility and protection for ElasticSearch servers. That review uncovered more than 15,000 of the open source servers that had no authentication or password protection. Of that group, 4,000 appeared to have PoS malware, which included two popular strains, AlinaPOS and JackPOS, that have been traded and sold among hackers in online forums.
Authentication controls and passwords are mandatory for secure organizations. Again, we find that enterprises are either incorrectly presuming that AWS handles security of their resources (it does not, by the way; AWS adheres to the shared responsibility model, whereby they are responsible for security of AWS and the customer is responsible for everything IN AWS), or they simply have not yet done the work required to secure their environment.