Feb 06, 2024NewsroomVulnerability / Cloud Security

Three new security vulnerabilities have been discovered in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition.

“The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie,” Orca security researcher Lidor Ben Shitrit said in a technical report shared with The Hacker News.

The list of flaws is as follows –

• CVE-2023-36419 (CVSS score: 8.8) – Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability
• CVE-2023-38156 (CVSS score: 7.2) – Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability
• Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability (no CVE)

The two privilege escalation flaws could be exploited by an authenticated attacker with access to the target HDI cluster to send a specially crafted network request and gain cluster administrator privileges.

The XXE flaw is the result of a lack of user input validation that allows for root-level file reading and privilege escalation, while the JDBC injection flaw could be weaponized to obtain a reverse shell as root.

“The ReDoS vulnerability on Apache Oozie was caused by a lack of proper input validation and constraint enforcement, and allowed an attacker to request a large range of action IDs and cause an intensive loop operation, leading to a denial-of-service (DoS),” Ben Shitrit explained.

Successful exploitation of the ReDoS vulnerability could result in a disruption of the system’s operations, cause performance degradation, and negatively impact both the availability and reliability of the service.

Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023.

The development arrives nearly five months after Orca detailed a collection of eight flaws in the open-source analytics service that could be exploited for data access, session hijacking, and delivering malicious payloads.

In December 2023, Orca also highlighted a “potential abuse risk” impacting Google Cloud Dataproc clusters that take advantage of a lack of security controls in Apache Hadoop’s web interfaces and default settings when creating resources to access any data on the Apache Hadoop Distributed File System (HDFS) without any authentication.

Jan 12, 2024NewsroomCryptocurrency / Malware

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.

“This attack is particularly intriguing due to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. “The malware deletes contents of specific directories and modifies system configurations to evade detection.”

The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s (Yet Another Resource Negotiator) ResourceManager, which is responsible for tracking resources in a cluster and scheduling applications.

Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.

The attacks aimed at Apache Flink, likewise, take aim at a misconfiguration that permits a remote attacker to achieve code execution sans any authentication.

These misconfigurations are not novel and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities.

But what makes the latest set of attacks noteworthy is the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.

“The attacker sends an unauthenticated request to deploy a new application,” the researchers explained. “The attacker is able to run a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker’s command.”

The command is purpose-built to clear the /tmp directory of all existing content, fetch a file called “dca” from a remote server, and execute it, followed by deleting all files in the /tmp directory once again.

The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It’s worth pointing out that various adversaries, including Kinsing, have resorted to employing rootkits to conceal the presence of the mining process.

To achieve persistence, a cron job is created to download and execute a shell script that deploys the ‘dca’ binary. Further analysis of the threat actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.

As mitigations, it’s recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.