A threat actor is targeting organizations using Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a popular malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.
The campaign represents a turning point for the botnet, and an analysis this week by Aqua Nautilus suggests that its operators are testing new infection routines as precursors to a larger campaign.
Lucifer is a self-propagating malware, first reported by Palo Alto Networks researchers in May 2020. At the time, the company described the threat as dangerous hybrid malware which an attacker could use to enable DDoS attacks or to delete XMRig to mine the Monero cryptocurrency. Palo Alto said yes observed that the attackers also used Lucifer to bring down the information leaked by the NSA EternalBlue, EternalRomance and DoublePulsar malware and exploits on target systems.
“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that exploits old vulnerabilities to spread and execute malicious activities on Windows platforms,” Palo Alto warned at the time.
Now it’s back and targeting Apache servers. Aqua Nautilus researchers who monitored the campaign he said in a blog this week had counted more than 3,000 unique attacks against the company’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in the last month alone.
Lucifer’s 3 unique attack phases
The campaign has been ongoing for at least six months, during which time the attackers have attempted to exploit misconfigurations and known vulnerabilities in open source platforms to deliver their payload.
The campaign so far has consisted of three distinct phases, which the researchers say is likely an indication that the adversary is testing defense evasion techniques ahead of a full-scale attack.
“The campaign began targeting our honeypots in July,” says Nitzan Yaakov, security data analyst at Aqua Nautilus. “During our investigation, we observed the attacker updating techniques and methods to achieve the main objective of the attack: cryptocurrency mining.”
During the first phase of the new campaign, Aqua researchers observed attackers scanning the Internet for misconfigured Hadoop instances. When they detected a misconfigured Hadoop YARN (Yet Another Resource Negotiator) cluster resource management and job scheduling technology on the Aqua honeypot, they targeted that instance for exploit activity. The misconfigured instance on Aqua’s honeypot had to do with the Hadoop YARN resource manager and provided attackers with a way to execute arbitrary code on it via a specially crafted HTTP request.
The attackers exploited the misconfiguration to download Lucifer, run it, and store it in the local directory of the Hadoop YARN instance. They then ensured that the malware ran in a scheduled manner to ensure its persistence. Aqua also observed the attacker delete the binary code from the location where it was initially saved to try to evade detection.
In the second phase of the attacks, threat actors once again targeted misconfigurations in the Hadoop big data stack to try to gain first access. This time, however, instead of releasing a single binary, the attackers released two on the compromised system: one that executed Lucifer and the other that seemingly did nothing.
In the third phase, the attacker changed tactics and, instead of targeting misconfigured Apache Hadoop instances, began searching for vulnerable Apache Druid hosts. Aqua’s version of the Apache Druid service on its honeypot has not been updated CVE-2021-25646, a command injection vulnerability in some versions of the High Performance Analytics Database. The vulnerability gives authenticated attackers a way to execute user-defined JavaScript code on affected systems.
The attacker exploited the flaw to inject a command to download two binary files and enable them with read, write and execute permissions for all users, Aqua said. One of the binaries initiated the download of Lucifer, while the other executed the malware. At this stage, the attacker’s decision to split the download and execution of Lucifer into two binaries appears to have been an attempt to bypass detection mechanisms, the security vendor noted.
How to Avoid a Hellish Cyber Attack on Apache Big Data
Ahead of a potential wave of attacks against Apache instances, companies should review their footprints for common misconfigurations and ensure all patches are up to date.
Beyond this, the researchers noted that “unknown threats can be identified by scanning environments with run-time detection and response solutions, which can detect exceptional behavior and alert them” and that “it is important to be cautious and aware of threats existing while using open source libraries. Each library and code must be downloaded from a verified distributor.”