Since its discovery in the summer of 2016 variations of the Mirai botnet, which infects and chains Internet-connected surveillance cameras and routers to spread malware and launch distributed denial of service attacks, have been a thorn in the side of CISOs.
Now they have another worry: A variant that targets vulnerable Linux servers for hosting DDoS and Monero cryptomining software.
“Mirai is no longer solely targeting IoT devices,” say researchers from Netscout in a blog released Wednesday. “While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices.”
The bot is looking particularly for servers open to what is called the YARN vulnerability in the open source Hadoop framework for distributed storage. According to security vendor ExtraHop, YARN (short for Yet Another Resource Negotiator), provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. The exploit is a command injection flaw that allows the attacker to execute arbitrary shell commands. According to a column earlier this month by a Radware researcher, there are still about 1,000 vulnerable servers all over the world.
Radware detected nearly 12 million exploit attempts from the U.S. on its detection network between September and the middle of this month Great Britain and Italy each were responsible for 6 million attempts, closely followed by Germany with 4.8 million attempts. Radware’s U.K. and Germany honeypots were hit twice as hard compared to the rest of the world. The average numbers for each region were between 1.6 and 3.2 million attempted exploits at the time, although the attempt rate has been slowing to a mere 350,000 a day as of Nov. 15.
Judging by the limited number of sources Netscout has seen continually scanning for the Hadoop YARN vulnerability, its researchers suspect a small group of attackers are behind this campaign. “Their goal is clear – to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”
ExtraHop noted the ability to remotely execute arbitrary code without authentication in a Hadoop cluster from the public internet can very easily become a mechanism for stealing or destroying large volumes of sensitive data. “No domain from the public internet should be issuing shell commands against your Hadoop clusters,” says ExtraHop. “If that’s happening, your security team needs to know right away.”
Remote command execuction exploits against the YARN REST API can in part by checked by strong protections around who and what can access data in Hadoop stores, and especially around which new applications can use YARN to tap data and resources in Hadoop, ExtraHop said.
See also this note from Apache on YARN security.