A threat actor is targeting a common misconfiguration in Hadoop YARN and Apache Flink to try and drop Monero cyrptominers in environments running the two big data technologies.
What makes the campaign especially notable is the adversary’s use of sophisticated evasion techniques, such as rootkits, packed ELF binaries, directory content deletion, and system configuration modifications to bypass typical threat detection mechanisms.
Known Misconfigurations
Researchers from Aqua Nautilus uncovered the campaign when they spotted new attacks hitting one of their cloud honeypots recently. One attack exploited a known misconfiguration in a feature in Hadoop YARN called ResourceManager that manages resources for applications running on a Hadoop cluster. The other targeted a similarly known misconfiguration in Flink that, like the YARN issue, gives attackers a way to run arbitrary code on affected systems.
Hadoop YARN (Yet Another Resource Negotiator) is a resource management subsystem of the Hadoop ecosystem for big data processing. Apache Flink is a relatively widely used open source stream and batch processor for event-driven data analytics and data pipeline applications.
Assaf Morag, lead researcher for Aqua Nautilus, says the YARN misconfiguration gives attackers a way to send an unauthenticated API request to create new applications. The Flink misconfiguration allows an attacker to upload a Java archive (JAR) file that contains malicious code to a FLINK server.
“Both misconfigurations permit remote code execution, implying that an attacker could potentially gain complete control over the server,” Morag says. Given that these servers are used for data processing, their misconfigurations present a data exfiltration risk. “Furthermore, these servers are typically interconnected with other servers within the organization, which could facilitate lateral movement by the attacker,” Morag says.
Deploying a Cryptominer
In the attack on Apache Nautilus’ honeypots, the adversary exploited the misconfiguration in Hadoop YARN to send an unauthenticated request to deploy a new application. The attacker was then able to execute remote code on the misconfigured YARN by sending a POST request, asking it to launch the new application using the attacker’s command. To establish persistence, the attacker first deleted all cron jobs — or scheduled tasks — on the YARN server and created a new cron job.
Aqua’s analysis of the attack chain showed the attacker using the command to delete the content of the /tmp directory on the YARN server, downloading a malicious file to the /tmp directory from a remote command-and-control server, executing the file, and then again deleting the contents of the directory. Aqua researchers found the secondary payload from the C2 server to be a packed ELF (Executable and Linkable Format) binary that served as a downloader for two different rootkits, one of which was a Monero crypto-currency miner. Malware detection engines on Virus Total did not detect the secondary ELF binary payload, Aqua said.
“As these servers are designed for processing big data, they possess high CPU capabilities,” Morag says. “The attacker is exploiting this fact to run cryptominers, which also require a substantial amount of CPU resources.”
Morag says the attack is noteworthy for the different techniques the attacker used to conceal their malicious activity. These included the use of a packer to obfuscate the ELF binary, the use of stripped payloads to make analysis more challenging, an embedded payload within the ELF binary, file and directory permissions modifications, and the use of two rootkits to hide the cryptominer and shell commands.
