Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and generate a reverse shell for the persistent remote access.
“Attackers are leveraging these tools to emit exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” said Matt Muir, security researcher by Cado, in a report shared with Hacker News.
The activity has a code name Spinning YARN from the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog and a cluster nicknamed Kiss-a-dog.
It all starts with the implementation of four new Golang payloads that automate the identification and exploitation of sensitive Confluence, Docker, Hadoop YARN, and Redis hosts. Broadcast utilities leverage Masscan or Pnscan to search for these services.
“For the Docker compromise, attackers spawn a container and escape from it onto the underlying host,” Muir explained.
Initial access then paves the way for implementing additional tools to install rootkits such as libprocesshider and diamorphines to hide malicious processes, delete the open source reverse shell utility Platypus, and finally launch the XMRig miner.
“It is clear that attackers are investing a lot of time in understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services, and using this knowledge to gain a foothold in targeted environments,” he said the society.
The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of attacks against cloud infrastructure starting from May 2023. until February 2024.
“By leveraging Internet scans to locate vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” said security researchers Tejaswini Sandapolla and Shilpesh Trivedi.
“Once inside, they deploy a variety of advanced evasion techniques, demonstrating a deep understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removal of cloud security services, thus ensuring their malicious activities remain undetected.”
The attacks, which target both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before adopting a series of measures that prioritize stealth and evasion.
It also results in the abuse of cloud services primarily intended for artificial intelligence (AI) solutions to eliminate cryptocurrency miners and host malware.
“Because both mining and AI require access to large amounts of GPU processing power, there is some degree of transferability to their commodity hardware environments,” HiddenLayer noted last year.
Cado, in his second half 2023 cloud threat findings report, noted that threat actors are increasingly targeting cloud services that require specialized technical knowledge to exploit, and that cryptojacking is no longer the only reason .
“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it reads. “Cloud and Linux infrastructures are now subject to a wider variety of attacks.”