Skip to content Skip to footer

Emerging Malware Campaign Targets Misconfigured Servers: Cado Security

researchers have identified an emerging campaign codenamed “Spinning YARN” that targets misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Confluence, and Redis services. The campaign is designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access. Threat actors leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day to conduct Remote Code Execution (RCE) attacks and infect new hosts.

The cloud security company Cado has identified the activity and found overlaps with cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog. The attackers deploy four novel Golang payloads capable of automating, identifying, and exploiting susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader leverage mass can or pecan to hunt for these services.

Once attackers gain initial access, they deploy additional tools to install rootkits like libprocesshider and diamorphine, conceal malicious processes, drop the Platypus open-source reverse shell utility, and launch the XMRig miner. The attackers invest significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported in those services, and using this knowledge to gain a foothold in target environments.

This development comes as Uptycs revealed 8220 Gang's exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

Threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and cryptojacking is no longer the only motive. In its H2 2023 Cloud Threat Findings Report, Cado noted that with the discovery of new variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on and ESXi systems. Cloud and infrastructure is now subject to a wider variety of attacks, and it is essential to have the proper preventive measures in place to safeguard the security of your systems.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Mrs. Murphy: What did you learn in school today?
- Dade: Revenge.
Lauren Murphy & Dad

Deitasoft © 2024. All Rights Reserved.