Security researchers have uncovered a new attack targeting Apache Hadoop and Flink applications.
The attacks exploit misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency cryptocurrency miners.
Apache Hadoop is an open-source software framework designed for the distributed storage and processing of large sets of data using a cluster of commodity hardware.
Apache Flink is an open-source, unified stream-processing and batch-processing framework developed by the Apache Software Foundation.
Attackers exploit a misconfiguration of the ResourceManager of the YARN in Hadoop to drop and execute the binary dca, which downloads two other binaries (rootkits) and writes to disk a Monero cryptominer.
The attacker sends an unauthenticated request to deploy a new application, and then he attempts torun a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker’s command. With this specially crafted package, an attacker can execute arbitrary code depending on the privileges of the user on the node where the code is executed.
The attack against the Apache Flink is quite similar and exploits a misconfiguration that allows a remote, unauthenticated attacker to achieve code execution.
This research was documented by the researchers from Aquasec
Indicators of Compromise
- 58794e43c039fe20281bf0777721c8ce
- 94e0f679758facf683a217774e29c2b2
- 901ac649b47e0261d88f568f02c90412
- cebadcafee4ed6a69c64ab08496163d7
- 0a100f6a07e7fd611553ef7c42f37f5a
- 38d898459a3f530e2db083e1bb1e1524
