Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers: http://it.slashdot.org/story/14/07/28/1444241/attackers-install-ddos-bots-on-amazon-cloud?utm_source=rss1.0mainlinkanon&utm_medium=feed
Commenting, Russ Spitler, VP of Product Strategy for AlienVault says:
"This is a really interesting - mainly for the important detail that is missing: ElasticSearch is a backend service, it is the equivalent of a database like MySQL or Oracle - the real question is - Why the heck are these things on the internet??? This points to some basic issues with end user understanding of AWS security controls. It is a very basic task to lock these servers down and restrict access to these services. AWS has made these even easier than in traditional data centers. In fact, the end user needs to explicitly open the service up for it to be accessible from the general internet as it was exploited here. Informed use of EC2 security groups would completely eliminate this issue. Unfortunately, these days, users are still getting up to speed. In some recent work that we have done we found that more than 18,000 MySQL databases were publicly accessible - users are not properly securing their services and are being lazy about learning the capabilities of AWS. Unfortunately, this is being noticed by attackers; this will not be the last time we see malware campaigns targeting services running in AWS that have no business being on the internet … Regardless of what users do to upgrade their elasticsearch installation - GET IT OFF THE INTERNET!, even when it is fully upgraded, this is the equivalent of leaving your jewelry box on the front porch. Yeah, there is a chance no one will come by and notice, but why take the chance? Your datastore (elasticsearch) does not need to be accessed by the entire world..."