Threat actors are currently targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services in a new malware campaign designed to deliver a cryptocurrency miner and create a reverse shell for persistent remote access.
“The attackers are exploiting these tools to deploy exploit code, taking advantage of common misconfigurations and exploiting N-day vulnerabilities to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir stated in a report shared with The Hacker News.
The campaign has been named Spinning YARN by the cloud security company, similar to cloud attacks linked to TeamTNT, WatchDog, and a group known as Kiss-a-dog.
It all begins with deploying four new Golang payloads that can automatically identify and exploit vulnerable Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader tools use masscan or pnscan to search for these services.
“For the Docker compromise, the attackers create a container and escape from it to the underlying host,” Muir explained.
Initial access then allows for the introduction of additional tools to install rootkits like libprocesshider and diamorphine to hide malicious processes, deploy the Platypus open-source reverse shell utility, and finally launch the XMRig miner.
“It’s evident that attackers are investing considerable time in understanding the web-facing services deployed in cloud environments, staying informed about reported vulnerabilities in these services, and using this knowledge to penetrate target environments,” the company remarked.
This development comes as Uptycs disclosed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of attacks on cloud infrastructure from May 2023 to February 2024.
“By using internet scans to find vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi explained.
“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and disabling cloud security services to ensure their malicious activities go undetected.”
The attacks target both Windows and Linux hosts, with the goal of deploying a cryptocurrency miner only after taking steps to maintain stealth and avoid detection.
This trend follows the misuse of cloud services primarily designed for AI solutions to deploy cryptocurrency miners and host malware.
“Both mining and AI necessitate access to significant GPU processing power, making their base hardware environments somewhat interchangeable,” HiddenLayer observed last year.
In its H2 2023 Cloud Threat Findings Report, Cado noted that threat actors are increasingly focusing on cloud services that require specialized technical knowledge to exploit, with cryptojacking no longer the sole motivation.
“With the emergence of new Linux variants of ransomware families, such as Abyss Locker, there is a concerning trend of ransomware targeting Linux and ESXi systems,” they stated. “Cloud and Linux infrastructure are now vulnerable to a wider range of attacks.”
