March 6, 2024 at 05:39PM
Researchers have detected a cyber campaign targeting vulnerable cloud servers running Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers deploy a cryptomining tool and a Linux-based reverse shell for potential future targeting. The campaign, known as Spinning YARN, exploits known vulnerabilities and misconfigurations, with tactics overlapping with threat groups TeamTNT and WatchDog.
From the meeting notes, the key takeaways are:
– Researchers have identified a cyber compromise campaign targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis.
– The attackers are dropping a cryptomining tool and installing a Linux-based reverse shell for potential future targeting and malware infestations.
– The attackers are exploiting common cloud misconfigurations and an older remote code execution vulnerability in Confluence server (CVE-2022-26134).
– The campaign has been named Spinning YARN and is automated to identify and compromise servers running the targeted cloud platforms.
– The threat actor is deploying multiple unique payloads, including a reverse shell utility, user-mode rootkits, and a cryptocurrency miner.
– The attackers are exploiting Docker for initial access to organizations’ broader cloud environments.
– The attack chain includes various stages such as establishing contact with a remote command and control server, retrieving and deploying multiple payloads, and conducting anti-forensic measures.
These takeaways highlight the sophisticated and automated nature of the cyber campaign, as well as the specific vulnerabilities and platforms being targeted. It’s important for organizations to address and patch these vulnerabilities, as well as implement security measures to prevent potential future attacks.