Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence and Redis services as part of an emerging malware campaign designed to deliver cryptocurrency mining programs and generate persistent remote access reverse shell.
Cado security researcher Matt Muir said in a report shared with Cado: “Adversaries use these tools to release exploit code, exploit common misconfigurations and N-day vulnerabilities, conduct remote code execution (RCE) attacks and infect new hosts. .” Hacker News.
The event is codenamed spinning The attack, carried out by the cloud security company, overlapped with cloud-based attacks by TeamTNT, WatchDog and a cluster known as Kiss-a-dog.
It all starts with deploying four novel Golang payloads that automatically identify and exploit vulnerable Confluence, Docker, Hadoop YARN and Redis hosts. The propagator utility uses masscan or pnscan to find these services.
“With Docker attacks, the attacker spawns a container and escapes from it to the underlying host,” Muir explained.
The initial access then paves the way for the deployment of additional tools to install rootkits such as libprocesshider and diamorphine to hide the malicious process, remove the Platypus open source reverse shell utility, and finally launch the XMRig miner.
“It’s clear that attackers have invested considerable time in understanding the types of network-facing services deployed in cloud environments, staying abreast of reported vulnerabilities in those services, and leveraging this knowledge to gain a foothold in the target environment,” the company said.
This development comes as Uptycs revealed that the 8220 Gang exploited known security vulnerabilities in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a May 2023 attack on cloud infrastructure Part of the wave until February 2024.
Security researchers Tejaswini Sandapolla and Shilpesh Trivedi said: “By leveraging the Internet to scan for vulnerable applications, the group identified potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access.”
“Once inside, they deploy a range of advanced evasion techniques, demonstrating a deep understanding of how to navigate and manipulate cloud environments to their advantage. This includes deactivating security enforcement, modifying firewall rules and removing cloud security services, thereby ensuring their malicious activities remain undetected.”
These attacks target Windows and Linux hosts and aim to deploy cryptocurrency miners, but not before taking a series of steps that prioritize stealth and evasion.
It has also seen abuse of cloud services primarily used for artificial intelligence (AI) solutions to remove cryptocurrency miners and host malware.
HiddenLayer noted last year: “Because both mining and artificial intelligence require access to large amounts of GPU processing power, their underlying hardware environments have a certain degree of portability.”
Cado noted in its Cloud Threat Investigation Report for the Second Half of 2023 that threat actors are increasingly targeting cloud services that require specialized technical knowledge to exploit, and cryptojacking is no longer the only motivation.
The report stated: “With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems.” “Cloud and Linux infrastructure are now facing a wider range of threats. attack.”