A menace actor is concentrating on organizations operating Apache Hadoop and Apache Druid huge knowledge applied sciences with a brand new model of the Lucifer botnet, a recognized malware instrument that mixes cryptojacking and distributed denial of service (DDoS) capabilities.
The marketing campaign is a departure for the botnet, and an evaluation this week from Aqua Nautilus means that its operators are testing new an infection routines as a precursor to a broader marketing campaign.
Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in Could 2020. On the time, the corporate described the menace as harmful hybrid malware that an attacker may use to allow DDoS assaults, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto mentioned it had noticed attackers additionally utilizing Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits heading in the right direction programs.
“Lucifer is a brand new hybrid of cryptojacking and DDoS malware variant that leverages outdated vulnerabilities to unfold and carry out malicious actions on Home windows platforms,” Palo Alto had warned on the time.
Now, it is again and concentrating on Apache servers. Researchers from Aqua Nautilus who’ve been monitoring the marketing campaign mentioned in a weblog this week they’d counted greater than 3,000 distinctive assaults concentrating on the corporate’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in simply the final month alone.
Lucifer’s 3 Distinctive Assault Phases
The marketing campaign has been ongoing for not less than six months, throughout which era the attackers have been trying to take advantage of recognized misconfigurations and vulnerabilities within the open supply platforms to ship their payload.
The marketing campaign thus far has been comprised of three distinct phases, which the researchers mentioned is probably going a sign that the adversary is testing protection evasion methods earlier than a full-scale assault.
“The marketing campaign started concentrating on our honeypots in July,” says Nitzan Yaakov, safety knowledge analyst at Aqua Nautilus. “Throughout our investigation, we noticed the attacker updating methods and strategies to attain the primary objective of the assault — mining cryptocurrency.”
Throughout the first stage of the brand new marketing campaign, Aqua researchers noticed the attackers scanning the Web for misconfigured Hadoop cases. After they detected a misconfigured Hadoop YARN (But One other Useful resource Negotiator) cluster useful resource administration and job scheduler know-how on Aqua’s honeypot, they focused that occasion for exploit exercise. The misconfigured occasion on Aqua’s honeypot needed to do with Hadoop YARN’s useful resource supervisor and gave the attackers a method to execute arbitrary code on it through a specifically crafted HTTP request.
The attackers exploited the misconfiguration to obtain Lucifer, execute it and retailer it to the Hadoop YARN occasion’s native listing. They then ensured the malware was executed on a scheduled foundation to make sure persistence. Aqua additionally noticed the attacker deleting the binary from the trail the place it was initially saved to try to evade detection.
Within the second part of assaults, the menace actors as soon as once more focused misconfigurations within the Hadoop big-data stack to try to achieve preliminary entry. This time, nonetheless, as a substitute of dropping a single binary, the attackers dropped two on the compromised system — one which executed Lucifer and the opposite which apparently did nothing.
Within the third part, the attacker switched ways and, as a substitute of concentrating on misconfigured Apache Hadoop cases, started in search of weak Apache Druid hosts as a substitute. Aqua’s model of the Apache Druid service on its honeypot was unpatched towards CVE-2021-25646, a command injection vulnerability in sure variations of the high-performance analytics database. The vulnerability offers authenticated attackers a method to execute user-defined JavaScript code on affected programs.
The attacker exploited the flaw to inject a command for downloading two binaries and enabling them with learn, write, and execute permissions for all customers, Aqua mentioned. One of many binaries initiated the obtain of Lucifer, whereas the opposite executed the malware. On this part, the attacker’s resolution to separate the downloading and execution of Lucifer between two binary recordsdata seems to have been an try and bypass detection mechanisms, the safety vendor famous.
Keep away from a Hellish Cyberattack on Apache Huge Information
Forward of a possible coming wave of assaults towards Apache cases, enterprises ought to evaluation their footprints for frequent misconfigurations, and guarantee all patching is up-to-date.
Past that, the researchers famous that “unknown threats may be recognized by scanning your environments with runtime detection and response options, which may detect distinctive habits and alert about it,” and that “you will need to be cautious and conscious of current threats whereas utilizing open-source libraries. Each library and code ought to be downloaded from a verified distributor.”