From rootkits to cryptomining
In the attack chain against Hadoop, the attackers first exploit the misconfiguration to create a new application on the cluster and allocate computing resources to it. In the application container configuration, they put a series of shell commands that use the curl command-line tool to download a binary called “dca” from an attacker-controlled server inside the /tmp directory and then execute it. A subsequent request to Hadoop YARN will execute the newly deployed application and therefore the shell commands.
Dca is a Linux-native ELF binary that serves as a malware downloader. Its primary purpose is to download and install two other rootkits and to drop another binary file called tmp on disk. It also sets a crontab job to execute a script called dca.sh to ensure persistence on the system. The tmp binary that’s bundled into dca itself is a Monero cryptocurrency mining program, while the two rootkits, called initrc.so and pthread.so, are used to hide the dca.sh script and tmp file on disk.
The IP address that was used to target Aqua’s Hadoop honeypot was also used to target Flink, Redis, and Spring framework honeypots (via CVE-2022-22965). This suggests that the Hadoop attacks are likely part of a larger operation that targets different technologies, like with TeamTNT’s operations in the past. When probed via Shodan, the IP address seemed to host a web server with a Java interface named Stage that is likely part of the Java payload implementation from the Metasploit Framework.
Mitigating the Apache Flink and Hadoop ResourceManager vulnerabilities
“To mitigate vulnerabilities in Apache Flink and Hadoop ResourceManager, specific strategies need to be implemented,” Assaf Morag, a security researcher at Aqua Security, tells CSO via email. “For Apache Flink, it’s crucial to secure the file upload mechanism. This involves restricting the file upload functionality to authenticated and authorized users and implementing checks on the types of files being uploaded to ensure they are legitimate and safe. Measures like file size limits and file type restrictions can be particularly effective.”
Meanwhile, Hadoop ResourceManager needs to have authentication and authorization configured for API access. Possible options include integration with Kerberos — a common choice for Hadoop environments — LDAP or other supported enterprise user authentication systems.
“Additionally, setting up access control lists (ACLs) or integrating with role-based access control (RBAC) systems can be effective for authorization configuration, a feature natively supported by Hadoop for various services and operations,” Morag says. It’s also recommended to consider deploying agent-based security solutions for containers that monitor the environment and can detect cryptominers, rootkits, obfuscated, or packed binaries and other suspicious runtime behaviors.
