Apache Hadoop and Flink misconfigurations used to install cryptominers
Take action: If you are using Apache Hadoop or Apache Fink, review the documentation and check that your API access and file uploads are authenticated. Or at least locked down to a trusted group of systems, although that's not a good fix. If you have had an unsecured Hadoop or Fink, start planning to secure it (it will probably break something). You can't afford not to secure these systems, because hackers are already abusing them.
Aqua Security's cybersecurity researchers have uncovered a malware campaign targeting Apache Hadoop and Flink, exploiting their misconfigurations to bypass authentication and install Monero cryptominers concealed by rootkits.
In Apache Hadoop YARN, attackers exploited a misconfiguration in the ResourceManager component, enabling unauthenticated API requests for deploying applications. This vulnerability, previously exploited in attacks by TeamTNT, allows remote code execution. Similarly, in Apache Flink, attackers used an insecure file upload mechanism to upload malicious JAR files, again leading to remote code execution.
The attack on Hadoop involves creating a new application in the cluster, using shell commands to download and execute a malware downloader named 'dca', which further installs rootkits and a Monero miner. The IP address linked to these attacks also targeted other technologies, indicating a broader operation.
Aqua Security suggests mitigation strategies for these vulnerabilities in both Apache Flink and Hadoop ResourceManager:
Aqua has also provided IP addresses and indicators of compromise to assist with the investigation of FInk and Hadoop.
Deploying agent-based security solutions in containers to detect cryptominers, rootkits, and other suspicious activities is also advised.
|CISA warns of actively attacked SharePoint Server, asks …
|Fortinet warns of critical actively exploited RCE flaw …
|Google Play fake Telegram app installs spyware
|Ivanti reports actively exploited vulnerabilities in Connect Secure …
|OwnCloud critical vulnerabilities already activelly attacked