(Golden Dayz/Shutterstock)
Safety researchers at Aqua Nautilus say they’re monitoring a brand new set of assaults towards Apache Hadoop and Apache Flink functions. The attackers are using stealthy strategies to use a identified safety vulnerability for misconfigured Hadoop and Flink techniques that might allow unauthenticated hackers to run arbitrary code on clusters, the researchers say.
Aqua Nautilus, a safety analysis firm primarily based in Burlington, Vermont, at this time introduced the outcomes of its investigation into the Hadoop and Flink assaults. The corporate said that, over the previous few weeks, it found a “new and attention-grabbing assault” that focused its cloud honeypots. The assaults on Hadoop and Flink seem to observe an identical playbook and exploit comparable vulnerabilities, the corporate says.
On Hadoop, the assault leverages a consumer misconfiguration in ResourceManager, or the pinnacle node for YARN in a Hadoop cluster. “This misconfiguration may be exploited by an unauthenticated, distant attacker via a specifically designed HTTP request, doubtlessly resulting in the execution of arbitrary code, relying on the privileges of the consumer on the node the place the code is executed,” Aqua Nautilus safety analysts Nitzan Yaakov and Assaf Morag wrote in a weblog publish at this time.
In the meantime, the assaults on Apache Flink additionally exploit a misconfiguration “that enables a distant attacker to execute arbitrary code on a system operating Apache Flink without having to authenticate,” Aqua Nautilus mentioned.
Neither of the misconfiguration-based vulnerabilities are new, the corporate says. The truth is, it says it has reported on the issues previously. Nonetheless, the assault vectors themselves seem like new, and the truth that they’re using stealthy strategies, resembling utilizing packers and rootkits to hide their malware, make the assaults noteworthy, the corporate says.
On Hadoop, attackers start their work by sending an unauthenticated request to deploy a brand new utility, adopted by a POST request to execute arbitrary code, the corporate says. The payload is a binary referred to as “dca,” which additional downloads two different binaries for rootkits in addition to a cryptominer referred to as Monero, Aqua Nautilus says.
The assault employs refined protection evasion strategies, resembling using “packed ELF binaries and rootkits which might be undetected by common safety options,” the safety researchers say. “The malware deletes contents of particular directories and modifies system configurations to evade detection.” There’s additionally a persistence mechanism that makes use of cron jobs to obtain and execute a script that deploys the “dca” binary, the corporate says. .
The dangerous guys using this system make the most of particular IP addresses and domains, Aqua Nautilus says, which can assist victims inform in the event that they’ve been hacked. Agent-based safety instruments designed to detect suspicious and malicious conduct will also be used to detect “cryptominers, rootkits, obfuscated or packed binaries, in addition to container drift,” the safety firm says, including that clients who deployed its CNAPP agent-based runtime answer are protected against these sorts of assaults.
Apache Hadoop is a distributed framework used for storing and analyzing giant information units. Whereas the height of Hadoop reputation has handed, there are doubtless hundreds of Hadoop clusters nonetheless operating and offering worth to organizations. Apache Flink, in the meantime, is a distributed framework for constructing streaming functions. Adoptino of the Flink framework remains to be rising.
For extra technical particulars concerning the Hadoop and Flink exploits, take a look at this weblog publish on the Aqua Nautilus web site.
Associated Objects:
Buckle Up: It’s Time for 2024 Safety Predictions
From WormGPT to DarkBERT, GenAI Boosting Cybercriminal Capabilities