Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners in focused environments.
“This attack is especially intriguing owing to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security scientists Nitzan Yaakov and Assaf Morag stated in an examination revealed earlier this week. “The malware deletes contents of particular directories and modifies procedure configurations to evade detection.”
The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s (Yet Yet another Source Negotiator) ResourceManager, which is dependable for tracking means in a cluster and scheduling purposes.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Particularly, the misconfiguration can be exploited by an unauthenticated, distant risk actor to execute arbitrary code by indicates of a crafted HTTP request, subject matter to the privileges of the user on the node in which the code is executed.
The attacks aimed at Apache Flink, similarly, choose goal at a misconfiguration that permits a distant attacker to attain code execution sans any authentication.
These misconfigurations are not novel and have been exploited in the previous by financially motivated teams like TeamTNT, which is known for its heritage of concentrating on Docker and Kubernetes environments for the goal of cryptojacking and other malicious activities.
But what can make the most recent established of attacks noteworthy is the use of rootkits to conceal crypto mining processes soon after acquiring an first foothold into Hadoop and Flink apps.
“The attacker sends an unauthenticated ask for to deploy a new application,” the scientists explained. “The attacker is able to run a remote code by sending a Submit ask for to the YARN, requesting to launch the new software with the attacker’s command.”
The command is intent-built to obvious the /tmp directory of all present material, fetch a file termed “dca” from a remote server, and execute it, followed by deleting all documents in the /tmp listing as soon as once again.
The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It is well worth pointing out that various adversaries, like Kinsing, have resorted to using rootkits to conceal the presence of the mining process.
To attain persistence, a cron career is made to download and execute a shell script that deploys the ‘dca’ binary. Further more analysis of the risk actor’s infrastructure reveals that the staging server applied to fetch the downloader was registered on October 31, 2023.
As mitigations, it is really suggested that businesses deploy agent-centered security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.
Uncovered this posting intriguing? Stick to us on Twitter and LinkedIn to read additional exceptional information we article.
Some sections of this post are sourced from:
thehackernews.com