A menace actor is focusing on organizations working Apache Hadoop and Apache Druid huge knowledge applied sciences with a brand new model of the Lucifer botnet, a identified malware software that mixes cryptojacking and distributed denial of service (DDoS) capabilities.
The marketing campaign is a departure for the botnet, and an evaluation this week from Aqua Nautilus means that its operators are testing new an infection routines as a precursor to a broader marketing campaign.
Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in Might 2020. On the time, the corporate described the menace as harmful hybrid malware that an attacker may use to allow DDoS assaults, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto mentioned it had noticed attackers additionally utilizing Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits heading in the right direction programs.
“Lucifer is a brand new hybrid of cryptojacking and DDoS malware variant that leverages outdated vulnerabilities to unfold and carry out malicious actions on Home windows platforms,” Palo Alto had warned on the time.
Now, it is again and focusing on Apache servers. Researchers from Aqua Nautilus who’ve been monitoring the marketing campaign mentioned in a weblog this week they’d counted greater than 3,000 distinctive assaults focusing on the corporate’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in simply the final month alone.
Lucifer’s 3 Distinctive Assault Phases
The marketing campaign has been ongoing for at the least six months, throughout which period the attackers have been making an attempt to use identified misconfigurations and vulnerabilities within the open supply platforms to ship their payload.
The marketing campaign to this point has been comprised of three distinct phases, which the researchers mentioned is probably going a sign that the adversary is testing protection evasion methods earlier than a full-scale assault.
“The marketing campaign started focusing on our honeypots in July,” says Nitzan Yaakov, safety knowledge analyst at Aqua Nautilus. “Throughout our investigation, we noticed the attacker updating methods and strategies to realize the principle aim of the assault — mining cryptocurrency.”
Through the first stage of the brand new marketing campaign, Aqua researchers noticed the attackers scanning the Web for misconfigured Hadoop situations. After they detected a misconfigured Hadoop YARN (But One other Useful resource Negotiator) cluster useful resource administration and job scheduler expertise on Aqua’s honeypot, they focused that occasion for exploit exercise. The misconfigured occasion on Aqua’s honeypot needed to do with Hadoop YARN’s useful resource supervisor and gave the attackers a approach to execute arbitrary code on it through a specifically crafted HTTP request.
The attackers exploited the misconfiguration to obtain Lucifer, execute it and retailer it to the Hadoop YARN occasion’s native listing. They then ensured the malware was executed on a scheduled foundation to make sure persistence. Aqua additionally noticed the attacker deleting the binary from the trail the place it was initially saved to attempt to evade detection.
Within the second section of assaults, the menace actors as soon as once more focused misconfigurations within the Hadoop big-data stack to attempt to achieve preliminary entry. This time, nevertheless, as a substitute of dropping a single binary, the attackers dropped two on the compromised system — one which executed Lucifer and the opposite which apparently did nothing.
Within the third section, the attacker switched techniques and, as a substitute of focusing on misconfigured Apache Hadoop situations, started searching for weak Apache Druid hosts as a substitute. Aqua’s model of the Apache Druid service on its honeypot was unpatched in opposition to CVE-2021-25646, a command injection vulnerability in sure variations of the high-performance analytics database. The vulnerability offers authenticated attackers a approach to execute user-defined JavaScript code on affected programs.
The attacker exploited the flaw to inject a command for downloading two binaries and enabling them with learn, write, and execute permissions for all customers, Aqua mentioned. One of many binaries initiated the obtain of Lucifer, whereas the opposite executed the malware. On this section, the attacker’s choice to separate the downloading and execution of Lucifer between two binary recordsdata seems to have been an try to bypass detection mechanisms, the safety vendor famous.
The right way to Keep away from a Hellish Cyberattack on Apache Massive Knowledge
Forward of a possible coming wave of assaults in opposition to Apache situations, enterprises ought to assessment their footprints for widespread misconfigurations, and guarantee all patching is up-to-date.
Past that, the researchers famous that “unknown threats might be recognized by scanning your environments with runtime detection and response options, which might detect distinctive habits and alert about it,” and that “you will need to be cautious and conscious of present threats whereas utilizing open-source libraries. Each library and code ought to be downloaded from a verified distributor.”
