Automation and untraceable tools significantly increase hackers chances of success.
Recently, cyber experts around the world have recorded more frequent hacker attacks on cloud servers with incorrect configuration running on Apache Hadoop, Docker, Confluence and Redis.
In one of these recent attacks, attackers used new Golang-based malware to automate the search for vulnerable hosts and then compromise them.
Cado Security, a company specializing in cloud forensics and incident response, discovered a malicious operation that used special utilities to exploit vulnerabilities and execute arbitrary code.
The tools used by the hackers reminded the researchers of previous operations that were similar in many ways to the TeamTNT,WatchDog, and Kiss-a-Dog cloud malware campaigns.
Targets for the attack are selected by scanning open ports 2375, 8088, 8090, or 6379, which are the default ports for the above software.
Cado Security experts identified the attack they described after they received a warning about an attempt to access the Docker Engine Honeypot API, while a new container based on Alpine Linux was created on the server.
For further actions, the attackers used several Shell scripts and very common attack techniques on Linux to install the cryptocurrency miner, ensure persistence, and configure the Reverse Shell.
In the attack under review, hackers deployed a set of four Golang payloads that are responsible for identifying and using hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh) and Redis (c.sh).
The names of payloads are probably a failed attempt to disguise them as bash scripts. However, they are actually 64 — bit Golang ELF binaries.
"Interestingly, the malware developer forgot to delete the binaries, leaving the DWARF debugging information intact. Also, no effort was made to obfuscate strings or other sensitive data inside binary files, which makes their reverse engineering a fairly simple task," Cado Security experts noted.
The attack also used other payloads that were designed to remove traces of initial access and complicate the investigation.
Despite the fact that most of the payloads in the campaign are actively detected by antivirus engines on the Virus Total platform, the four binary files described above on Golang are practically not identified by them.
As can be seen from the malicious operation reviewed, cloud services and systems with incorrect configuration are increasingly becoming easy targets for cybercriminals who use malware to automate attacks.
Companies need to pay close attention to the security of their cloud resources, regularly check their configurations for vulnerabilities, and install security updates in a timely manner to protect their infrastructure from such cyber threats.
Recently, cyber experts around the world have recorded more frequent hacker attacks on cloud servers with incorrect configuration running on Apache Hadoop, Docker, Confluence and Redis.
In one of these recent attacks, attackers used new Golang-based malware to automate the search for vulnerable hosts and then compromise them.
Cado Security, a company specializing in cloud forensics and incident response, discovered a malicious operation that used special utilities to exploit vulnerabilities and execute arbitrary code.
The tools used by the hackers reminded the researchers of previous operations that were similar in many ways to the TeamTNT,WatchDog, and Kiss-a-Dog cloud malware campaigns.
Targets for the attack are selected by scanning open ports 2375, 8088, 8090, or 6379, which are the default ports for the above software.
Cado Security experts identified the attack they described after they received a warning about an attempt to access the Docker Engine Honeypot API, while a new container based on Alpine Linux was created on the server.
For further actions, the attackers used several Shell scripts and very common attack techniques on Linux to install the cryptocurrency miner, ensure persistence, and configure the Reverse Shell.
In the attack under review, hackers deployed a set of four Golang payloads that are responsible for identifying and using hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh) and Redis (c.sh).
The names of payloads are probably a failed attempt to disguise them as bash scripts. However, they are actually 64 — bit Golang ELF binaries.
"Interestingly, the malware developer forgot to delete the binaries, leaving the DWARF debugging information intact. Also, no effort was made to obfuscate strings or other sensitive data inside binary files, which makes their reverse engineering a fairly simple task," Cado Security experts noted.
The attack also used other payloads that were designed to remove traces of initial access and complicate the investigation.
Despite the fact that most of the payloads in the campaign are actively detected by antivirus engines on the Virus Total platform, the four binary files described above on Golang are practically not identified by them.
As can be seen from the malicious operation reviewed, cloud services and systems with incorrect configuration are increasingly becoming easy targets for cybercriminals who use malware to automate attacks.
Companies need to pay close attention to the security of their cloud resources, regularly check their configurations for vulnerabilities, and install security updates in a timely manner to protect their infrastructure from such cyber threats.
