January 12, 2024 at 03:09AM
Cybersecurity researchers have discovered a new attack using misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners and conceal them with rootkits. The attackers exploit flaws to run remote code on targeted systems and hide mining processes. Mitigations include deploying agent-based security solutions to detect and prevent such attacks.
From the meeting notes:
– Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.
– The attack involves the use of packers and rootkits to conceal the malware, and the attackers have been deploying the malware to delete contents of specific directories and modify system configurations to evade detection.
– The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s ResourceManager, while the attacks aimed at Apache Flink take aim at a misconfiguration that permits a remote attacker to achieve code execution without authentication.
– The attacks are noteworthy due to the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.
– The attacker sends an unauthenticated request to deploy a new application, which triggers the execution of a command that clears the /tmp directory, fetches a file from a remote server, and executes a payload that includes a Monero cryptocurrency miner binary.
As a summary, the meeting notes cover a new attack exploiting misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners, including the use of rootkits to conceal the mining processes. It also mentions specific details about the attack methods and the recommendation for organizations to deploy agent-based security solutions to detect such threats.
Let me know if you need further assistance with this.