Apache Hadoop and Flink misconfigurations used to install cryptominers

published: Jan. 15, 2024

Take action: If you are using Apache Hadoop or Apache Fink, review the documentation and check that your API access and file uploads are authenticated. Or at least locked down to a trusted group of systems, although that's not a good fix. If you have had an unsecured Hadoop or Fink, start planning to secure it (it will probably break something). You can't afford not to secure these systems, because hackers are already abusing them.

Learn More

Aqua Security's cybersecurity researchers have uncovered a malware campaign targeting Apache Hadoop and Flink, exploiting their misconfigurations to bypass authentication and install Monero cryptominers concealed by rootkits.

In Apache Hadoop YARN, attackers exploited a misconfiguration in the ResourceManager component, enabling unauthenticated API requests for deploying applications. This vulnerability, previously exploited in attacks by TeamTNT, allows remote code execution. Similarly, in Apache Flink, attackers used an insecure file upload mechanism to upload malicious JAR files, again leading to remote code execution.

The attack on Hadoop involves creating a new application in the cluster, using shell commands to download and execute a malware downloader named 'dca', which further installs rootkits and a Monero miner. The IP address linked to these attacks also targeted other technologies, indicating a broader operation.

Aqua Security suggests mitigation strategies for these vulnerabilities in both Apache Flink and Hadoop ResourceManager:

  • For Flink, securing the file upload mechanism is crucial, involving authentication, file type checks, and size limits.
  • For Hadoop ResourceManager, configuring authentication and authorization for API access is recommended, possibly integrating with Kerberos, LDAP, or other systems, and employing ACLs or RBAC for further security.

Aqua has also provided IP addresses and indicators of compromise to assist with the investigation of FInk and Hadoop.

Deploying agent-based security solutions in containers to detect cryptominers, rootkits, and other suspicious activities is also advised.

Apache Hadoop and Flink misconfigurations used to install cryptominers