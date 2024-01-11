Researchers have discovered a new malware attack campaign that exploits misconfigurations in Apache Hadoop and Flink, two technologies for processing big data sets and data streams. The attackers behind the campaign exploit these issues without authentication to deploy rootkits on the underlying systems and then install a Monero cryptocurrency mining program.

“This attack is particularly intriguing due to the attacker’s use of packers and rootkits to conceal their malware,” researchers from Aqua Security said in a report. “The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses.”

Lack of authentication in Hadoop YARN and Flink

The attackers took advantage of a misconfiguration in the ResourceManager component of Hadoop YARN that allows unauthenticated users to send API requests to deploy new applications. Hadoop YARN (Yet Another Resource Negotiator) is the Hadoop component that separates resource management and application job scheduling from the data processing layer. Hadoop itself is an open-source framework that allows large data sets to be distributed and processed across clusters of computers and is a common tool for data scientists.

“The YARN permits unauthenticated users to create and run applications. This misconfiguration can be exploited by an unauthenticated, remote attacker through a specially designed HTTP request, potentially leading to the execution of arbitrary code, depending on the privileges of the user on the node where the code is executed,” the researchers said.

This issue is not new and has been exploited before by attackers to compromise Hadoop clusters, for example last years in campaigns by a group dubbed TeamTNT that specializes in attacking multiple cloud-native technologies including Kubernetes clusters, Docker APIs, Weave Scope instances, JupyterLab and Jupyter Notebook deployments, and Redis servers.

The attackers behind the new campaign observed by Aqua also targeted Apache Flink, an open-source data stream-processing and batch-processing framework through a different insecure configuration in the file upload mechanism, which can allow unauthenticated attackers to upload rogue JAR (Java Archive) files onto the server. Like in the case of Hadoop, this can lead to remote code execution on the server.