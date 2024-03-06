Some cyber criminals are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deploy a cryptocurrency miner and generate a reverse shell for persistent remote access.

What do we know about this malware campaign that runs on Apache Hadoop YARN

“The group of attackers [che ha attaccato servizi Apache Hadoop YARN] leverages these tools to emit exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts“, has declared Cado security researcher Matt Muir in their report.

The task was named Spinning YARN by the cloud security companywith overlaps with cloud attacks attributed to TeamTNT, WatchDog and to a cluster called Kiss-a-dog.

It all starts with the release of four new Golang payloads capable of automating the identification and exploitation of vulnerable Confluence, Docker, Hadoop YARN and Redis hosts; broadcast users exploit masscan or pnscan to search for these services.

“To compromise Docker, attackers generate a container and escape from it to reach the underlying host“Muir explained.

Initial access paves the way for the release of additional tools for install rootkit as libprocesshider And diamorphine to hide malicious processesrelease the open-source reverse shell utility Platypus and finally, start the XMRig miner.

“It is evident that attackers are investing significant time in understanding the types of web services exposed in cloud environments, keeping up to date on reported vulnerabilities in those services and using this knowledge to gain a firm foothold in targeted environments“, the company said.

The development comes as Uptycs revealed the exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) by the group 8220 Gang, as part of a wave of attacks targeting cloud infrastructure from May 2023 to February 2024.

“Leveraging Internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access“, they have declared security researchers Tejaswini Sandapolla and Shilpesh Trivedi.

“Once inside, they use a variety of advanced evasion techniques, demonstrating a deep understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security practices, changing firewall rules, and removing cloud security servicesthus ensuring that their malicious activities remain undetected.”

The attacks, which target both Windows and Linux hosts, they aim to deploy a cryptocurrency miner, but only after taking a series of measures that prioritize stealth and evasion.

This is also followed by abuses of cloud services mainly intended for artificial intelligence (AI) solutions. to release cryptocurrency miners and host malware.

“With both mining and AI processes requiring access to large amounts of GPU processing powerthere is a certain degree of transferability to their base hardware environments“HiddenLayer noted last year.

Cado, in his H2 2023 Cloud Threat Findings report, noted that cybercriminals are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new ransomware variants for Linux systems, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems“Cado said. “Cloud and Linux infrastructure are now subject to a wider variety of attacks.”