As part of an evolving malware operation aimed at delivering a bitcoin miner and spawning a reverse shell for permanent remote access, threat actors are targeting misconfigured and insecure servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services.

According to a study published with The Hacker News by Cado security researcher Matt Muir, “the attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts.”

The cloud security business has given the activity the codename Spinning YARN. TeamTNT, WatchDog, and a cluster known as Kiss-a-dog have all been implicated in overlaps with cloud assaults.

The first step is to launch four unique Golang payloads that can automatically find and take advantage of vulnerable Confluence, Docker, Hadoop YARN, and Redis servers. The spreader utilities look for these services using masscan or pnscan.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir said.

The first access then makes it possible to use other tools to drop the Platypus open-source reverse shell application, install rootkits like libprocesshider and diamorphine to hide malicious processes, and finally start the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the business said.

This finding coincides with Uptycs’ revelation that the 8220 Gang exploited known security holes in Atlassian Confluence Server and Data Center (CVE-2022-26134) and Apache Log4j (CVE-2021-44228) as part of a wave of attacks against cloud infrastructure that took place between May 2023 and February 2024.

Security experts Tejaswini Sandapolla and Shilpesh Trivedi stated, “By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access.”

“Once inside, they use a variety of sophisticated evasive strategies, exhibiting a thorough comprehension of how to maneuver around and control cloud environments for their benefit. This ensures that their harmful operations stay undiscovered by turning off security enforcement, changing firewall rules, and eliminating cloud security services.”

The assaults target both Windows and Linux computers and are designed to install a bitcoin miner after a series of stealthy and evasive actions.

It also comes when cloud services intended for artificial intelligence (AI) solutions are abused to host malware and drop bitcoin miners.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer said in 2017.

In its H2 2023 Cloud Threat Findings Report, Cado said that cyberjacking is no longer the primary reason threat actors are focusing on cloud services that need specialized technical expertise to attack.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

SOURCE