Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners in focused environments.
“This attack is especially intriguing owing to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security scientists Nitzan Yaakov and Assaf Morag stated in an examination revealed earlier this week. “The malware deletes contents of particular directories and modifies procedure configurations to evade detection.”
The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s (Yet Yet another Source Negotiator) ResourceManager, which is dependable for tracking means in a cluster and scheduling purposes.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Particularly, the misconfiguration can be exploited by an unauthenticated, distant risk actor to execute arbitrary code by indicates of a crafted HTTP request, subject matter to the privileges of the user on the node in which the code is executed.
The attacks aimed at Apache Flink, similarly, choose goal at a misconfiguration that permits a distant attacker to attain code execution sans any authentication.
These misconfigurations are not novel and have been exploited in the previous by financially motivated teams like TeamTNT, which is known for its heritage of concentrating on Docker and Kubernetes environments for the goal of cryptojacking and other malicious activities.
But what can make the most recent established of attacks noteworthy is the use of rootkits to conceal crypto mining processes soon after acquiring an first foothold into Hadoop and Flink apps.
“The attacker sends an unauthenticated ask for to deploy a new application,” the scientists explained. “The attacker is able to run a remote code by sending a Submit ask for to the YARN, requesting to launch the new software with the attacker’s command.”
The command is intent-built to obvious the /tmp directory of all present material, fetch a file termed “dca” from a remote server, and execute it, followed by deleting all documents in the /tmp listing as soon as once again.
The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It is well worth pointing out that various adversaries, like Kinsing, have resorted to using rootkits to conceal the presence of the mining process.
To attain persistence, a cron career is made to download and execute a shell script that deploys the ‘dca’ binary. Further more analysis of the risk actor’s infrastructure reveals that the staging server applied to fetch the downloader was registered on October 31, 2023.
As mitigations, it is really suggested that businesses deploy agent-centered security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.
Uncovered this posting intriguing? Stick to us on Twitter and LinkedIn to read additional exceptional information we article.
Some sections of this post are sourced from:
thehackernews.com